Recently, there have been several ransomware attacks that have targeted a range of sectors including law enforcement, government, healthcare, and finance. All were the victims of Pysa ransomware attacks. According to cybersecurity analysts, Pysa is a variant of the Mespinoza ransomware family and has been active since at least October 2019. This new version uses the .pysa file extension, giving the ransomware its name.

The malicious software exfiltrates sensitive information before encryption and uses the stolen data to force the victim to pay a ransom in exchange for the files.

Pysa (also known as Mespinoza) is a human-operated ransom tool created by an as yet unidentified advanced persistent threat group. As with other popular ransomware in 2020 such as Ryuk and Maze; Pysa focuses on high value financial and governmental targets, but has also been involved in attacks on healthcare and law enforcement organisations.Pysa Ransomware, NHS

Pysa Ransomware Operation Mode

There are various ways in which Pysa is being distributed. One of them is by brute-force attacks on exposed Active Directory services or similar management interfaces, but it’s also delivered in spam or through phishing email campaigns.

Once it’s delivered, the ransomware will try to exfiltrate sensitive information (usernames, passwords, databases, internal business files) before proceeding to encrypt all accessible non-system files via AES implementations. The Pysa ransomware will ensure a large variety of popular file types (.mp3, .mp4. .png, .jpg, .docx, .pptx, .xlsx, .rar) are encrypted.

The stolen data will eventually be used to extort affected parties into meeting the attackers’ ransom demands. Thus, victims cannot regain access to their files unless they decrypt them with a specific decryption tool or key. Organizations or individuals who do not give in to the hackers’ demands will have their information leaked on a website controlled by Pysa operators.

Initially, this version was being used to target large organizations in an attempt to maximize the attackers’ skills, but alerts issued by the FBI, NHS, and CERTFR, warn that, similar to Ryuk and Maze, Pysa ransomware is targeting local government agencies, educational institutions, private companies, and the healthcare sector.

Some brute-force attempts were observed on a central management console, as well as on some ACTIVE DIRECTORY accounts. Moreover, some domain administrator accounts were indeed compromised. A password database has been exfiltrated shortly before the attack. Some illegitimate RDP connections occurred between domain controllers using an unknown hostname potentially linked to the intrusion set.Attacks Involving the Mespinoza/Pyza Ransomware, CERTFR

Once the targeted network is compromised, attackers attempt to exfiltrate its accounts and passwords database. Operators also employed versions of PowerShell Empire, Koadic, and Mimikatz testing tools, to stop antivirus products.

How to Prevent Pysa Ransomware

If a device on your network becomes infected with Pysa ransomware it will begin encrypting files, which may also include remote files on network locations. To prevent such ransomware infection, I strongly advise you to:

#1. Provide proper training to all employees

It’s important to raise awareness and help your staff detect a phishing email, strengthening they should not open any attachments or web links within an alleged phishing email. In general, these emails are sent from unknown, suspicious addresses. Hackers usually mark their emails as “important” or “official” leading the victim into a false sense of security.

#2. Keep your software up to date

You should always use the functions and tools provided by official software developers, like automatic updates. Any software or files should only be downloaded from official and trustworthy sources, and through direct links. Never download updates using unofficial activation methods/tools as they can infect the systems in the activation process.

#3. Scan your operating system regularly

Your OS is the most important part of the software as its vulnerabilities affect the entire machine. Therefore, scanning and updating your OS is essential. You should do so by using a trustworthy antivirus or anti-spyware suite remembering to it up to date as well. What’s more, an operating system is a very complex program and due to this, it often has flaws that can turn into security threats. Updating your OS can help block these threats easily.

Additionally, for extra protection, you can:

  • Make sure secure configurations are applied to all devices.
  • Enable tamper protection settings in security products.
  • Use multi-factor authentication (MFA) and lockout policies, especially for administrative accounts.
  • Use administrative accounts only for necessary purposes.
  • Use remote administration services with strongly encrypted protocols that only accept connections from authorized users or locations.
  • Constantly monitor your systems for suspicious activity, so that a compromise of the network can be detected as early as possible.

Wrapping It Up…

Unfortunately, Pysa ransomware hasn’t got any security flaws in the implementation of the encryption algorithms so far. Pysa ransomware victims have been advised to report these incidents to their local FBI field office or the FBI’s Internet Crime Complaint Center (IC3).

To keep track of your privileged accounts and easily manage admin rights requests, I recommend you use a Privileged Access Management tool. Heimdal™’s PAM solution not only lets you efficiently manage user rights but also allows users to safely install software themselves while providing logs and audit trails for data protection and compliance. What’s more, it is the only tool on the market that de-escalates users’ rights upon threat discovery (when used in tandem with our Threat Prevention or Endpoint Antivirus modules).

Staying secure from ransomware is easier with the correct knowledge and habits, as well as a trustworthy portfolio of solutions. As always, Heimdal Security is available to assist you with the latter. You can always contact us at sales.inquiries@heimdalsecurity.com or book a demo if you have any questions regarding which of our company’s products are most suited for your needs.

Heimdal Official Logo
Neutralize ransomware before it can hit.

Heimdal™ Ransomware Encryption Protection

Specifically engineered to counter the number one security risk to any business – ransomware.
  • Blocks any unauthorized encryption attempts;
  • Detects ransomware regardless of signature;
  • Universal compatibility with any cybersecurity solution;
  • Full audit trail with stunning graphics;
Try it for FREE today 30-day Free Trial. Offer valid only for companies.

Here Are the Free Ransomware Decryption Tools You Need to Use

Eight K-12 Schools Targeted by Pysa Ransomware

PYSA Ransomware Targets Education Institutions in US and UK, FBI Warns

A Closer Look at Ransomware Attacks: Why They Still Work

Ransomware Distribution: How One Infection Can Go Network-Wide

Leave a Reply

Your email address will not be published. Required fields are marked *