Heimdal
Home > Cybersecurity Basics

Pysa Ransomware: Overview, Operation Mode, Prevention

Last updated on June 7, 2022

article featured image

Contents:

At the very least, the Pysa ransomware was first deployed in October 2018. The initial versions of the ransomware created encrypted files with the “.locked” extension, which is common among ransomware. A new version of Pysa has been detailed in open sources since December 2019. Pysa is the name given to this version since it creates encrypted files with the “.pysa” extension.

What is Pysa Ransomware?

PYSA is a form of ransomware that is increasingly being employed in “big game” assaults, in which attackers select their targets based on their projected ability to pay. PYSA is an acronym for “Protect Your System Amigo,” which is included in the ransom note left for the victim. According to cybersecurity analysts, Pysa is a variant of the Mespinoza ransomware family and has been active since at least October 2019.

The malicious software exfiltrates sensitive information before encryption and uses the stolen data to force the victim to pay a ransom in exchange for the files.

Pysa (also known as Mespinoza) is a human-operated ransom tool created by an as yet unidentified advanced persistent threat group. As with other popular ransomware in 2020 such as Ryuk and Maze; Pysa focuses on high value financial and governmental targets, but has also been involved in attacks on healthcare and law enforcement organisations.Pysa Ransomware, NHS

Pysa Ransomware Operation Mode

Pysa ransomware encrypts files and then leaves a Readme.README file on the user’s desktop and in numerous other Windows places. The attackers explain what happened to the victims’ PCs in the brief note, and that they must contact them by sending an email to certain email addresses.

pysa ransomware note

Pysa Ransomware Ransom Note

Once it’s delivered, the ransomware will try to exfiltrate sensitive information (usernames, passwords, databases, internal business files) before proceeding to encrypt all accessible non-system files via AES implementations. The Pysa ransomware will ensure a large variety of popular file types (.mp3, .mp4. .png, .jpg, .docx, .pptx, .xlsx, .rar) are encrypted.

The stolen data will eventually be used to extort affected parties into meeting the attackers’ ransom demands. Thus, victims cannot regain access to their files unless they decrypt them with a specific decryption tool or key. Organizations or individuals who do not give in to the hackers’ demands will have their information leaked on a website controlled by Pysa operators.

Initially, this version was being used to target large organizations in an attempt to maximize the attackers’ skills, but alerts issued by the FBI, NHS, and CERTFR, warn that, similar to Ryuk and Maze, Pysa ransomware is targeting local government agencies, educational institutions, private companies, and the healthcare sector.

In a twofold extortion attempt, PYSA ransomware threat actors are now utilizing a RAT known as “ChaChi” to target educational institutions. While RATs are commonly used in ransomware operations, the combination of PYSA and ChaChi is concerning.

Created in 2019, the ChaChi RAT has since been enhanced to incorporate features such as port forwarding, DNS tunneling, and obfuscation. Using DNS and HTTP protocols, ChaChi delivers command-and-control (C2) capabilities to PYSA threat actors.

When PYSA acquires access to a victim’s network, it uses tools like Advanced Port Scanner and Advanced IP Scanner to do reconnaissance. Once the targeted network is compromised, attackers attempt to exfiltrate its accounts and passwords database. Operators also employed versions of PowerShell Empire, Koadic, and Mimikatz testing tools, to stop antivirus products. Before encrypting all Windows and Linux devices, the attackers utilize these tools to move laterally around the system, escalate privileges, and exfiltrate sensitive data.

Pysa Ransomware Distribution

Pysa has a strategy known as “big game hunting,” in which the ransomware gang focuses on high-value assets in companies that are most vulnerable to data loss or system failure. The theory is that victims, such as healthcare providers, government agencies, and MSPs, will be more likely to pay the ransom fast, regardless of the cost.

As opposed to more automated threats like WannaCry or Petya, Pysa is a human-operated ransomware. It’s usually spread through brute-force attacks on servers that have RDP or AD open to the Internet, but it’s also delivered in spam or through phishing email campaigns. The credentials database of the organization is then stolen by the threat actors. Antivirus solutions are attempted to be stopped — or even uninstalled — using PowerShell and Batch scripts. The Pysa ransomware has been documented to target 46 organizations, with victims in France, Australia, and the United States.

Some brute-force attempts were observed on a central management console, as well as on some ACTIVE DIRECTORY accounts. Moreover, some domain administrator accounts were indeed compromised. A password database has been exfiltrated shortly before the attack. Some illegitimate RDP connections occurred between domain controllers using an unknown hostname potentially linked to the intrusion set.Attacks Involving the Mespinoza/Pyza Ransomware, CERTFR
Heimdal Official Logo
Neutralize ransomware before it can hit.

Heimdal™ Ransomware Encryption Protection

Specifically engineered to counter the number one security risk to any business – ransomware.
  • Blocks any unauthorized encryption attempts;
  • Detects ransomware regardless of signature;
  • Universal compatibility with any cybersecurity solution;
  • Full audit trail with stunning graphics;
Try it for FREE today 30-day Free Trial. Offer valid only for companies.

How to Stay Safe from Pysa Ransomware

If a device on your network becomes infected with Pysa ransomware it will begin encrypting files, which may also include remote files on network locations. The latest Pysa ransomware strains do not have decryption tools available; therefore, in this case, prevention beats the cure. For online safety, I strongly advise you to follow the anti-ransomware security measures listed below.

#1. Provide proper training to all employees

It’s important to raise awareness and help your staff detect a phishing email, strengthening they should not open any attachments or web links within an alleged phishing email. In general, these emails are sent from unknown, suspicious addresses. Hackers usually mark their emails as “important” or “official” leading the victim into a false sense of security.

#2. Keep your software up to date

You should always use the functions and tools provided by official software developers, like automatic updates. Any software or files should only be downloaded from official and trustworthy sources, and through direct links. Never download updates using unofficial activation methods/tools as they can infect the systems in the activation process.

#3. Scan your operating system regularly

Your OS is the most important part of the software as its vulnerabilities affect the entire machine. Therefore, scanning and updating your OS is essential. You should do so by using a trustworthy antivirus or anti-spyware suite remembering to it up to date as well. What’s more, an operating system is a very complex program and due to this, it often has flaws that can turn into security threats. Updating your OS can help block these threats easily.

Additionally, for extra protection, you can:

  • Make sure secure configurations are applied to all devices.
  • Enable tamper protection settings in security products.
  • Use multi-factor authentication (MFA) and lockout policies, especially for administrative accounts.
  • Use administrative accounts only for necessary purposes.
  • Use remote administration services with strongly encrypted protocols that only accept connections from authorized users or locations.
  • Constantly monitor your systems for suspicious activity, so that a compromise of the network can be detected as early as possible.

Unfortunately, Pysa hasn’t got any security flaws in the implementation of the encryption algorithms so far. Pysa ransomware victims have been advised to report these incidents to their local FBI field office or the FBI’s Internet Crime Complaint Center (IC3).

How Can Heimdal™ Help

To keep track of your privileged accounts and easily manage admin rights requests, I recommend you use a Privileged Access Management tool. Heimdal™’s PAM solution not only lets you efficiently manage user rights but also allows users to safely install software themselves while providing logs and audit trails for data protection and compliance. What’s more, it is the only tool on the market that de-escalates users’ rights upon threat discovery (when used in tandem with our Threat Prevention or Endpoint Antivirus modules).

Staying secure from ransomware is easier with the correct knowledge and habits, as well as a trustworthy portfolio of solutions. As always, Heimdal Security is available to assist you with the latter. You can always contact us at sales.inquiries@heimdalsecurity.com or book a demo if you have any questions regarding which of our company’s products are most suited for your needs.

Author Profile

Cezarina Dinu

Head of Marketing Communications & PR

linkedin icon

Cezarina is the Head of Marketing Communications and PR within Heimdal® and a cybersecurity enthusiast who loves bringing her background in content marketing, UX, and data analysis together into one job. She has a fondness for all things SEO and is always open to receiving suggestions, comments, or questions.

Related Articles

200+ Ransomware Decryption Tools to Help You Decrypt Your Files.Ransomware Explained. What It Is and How It WorksEight K-12 Schools Targeted by Pysa Ransomware

CHECK OUR SUITE OF 11 CYBERSECURITY SOLUTIONS

SEE MORE
linkedin
youtube
facebook
x

resources

company

newsletter

© 2025 Heimdal®

Vat No. 35802495, Vester Farimagsgade 1, 2 Sal, 1606 København V