Recently, there have been several ransomware attacks that have targeted a range of sectors including law enforcement, government, healthcare, and finance. All were the victims of Pysa ransomware attacks. According to cybersecurity analysts, Pysa is a variant of the Mespinoza ransomware family and has been active since at least October 2019. This new version uses the .pysa file extension, giving the ransomware its name.

The malicious software exfiltrates sensitive information before encryption and uses the stolen data to force the victim to pay a ransom in exchange for the files.

Pysa (also known as Mespinoza) is a human-operated ransom tool created by an as yet unidentified advanced persistent threat group. As with other popular ransomware in 2020 such as Ryuk and Maze; Pysa focuses on high value financial and governmental targets, but has also been involved in attacks on healthcare and law enforcement organisations.Pysa Ransomware, NHS

How It Works: Tactics and Techniques

There are various ways in which Pysa is being distributed. One of them is by brute-force attacks on exposed Active Directory services or similar management interfaces, but it’s also delivered in spam or through phishing email campaigns.

Once it’s delivered, the ransomware will try to exfiltrate sensitive information (usernames, passwords, databases, internal business files) before proceeding to encrypt all accessible non-system files via AES implementations. The Pysa ransomware will ensure a large variety of popular file types (.mp3, .mp4. .png, .jpg, .docx, .pptx, .xlsx, .rar) are encrypted.

The stolen data will eventually be used to extort affected parties into meeting the attackers’ ransom demands. Thus, victims cannot regain access to their files unless they decrypt them with a specific decryption tool or key. Organizations or individuals who do not give in to the hackers’ demands will have their information leaked on a website controlled by Pysa operators.

Initially, this version was being used to target large organizations in an attempt to maximize the attackers’ skills, but alerts issued by the FBI, NHS, and CERTFR, warn that, similar to Ryuk and Maze, Pysa ransomware is targeting local government agencies, educational institutions, private companies, and the healthcare sector.

Some brute-force attempts were observed on a central management console, as well as on some ACTIVE DIRECTORY accounts. Moreover, some domain administrator accounts were indeed compromised. A password database has been exfiltrated shortly before the attack. Some illegitimate RDP connections occurred between domain controllers using an unknown hostname potentially linked to the intrusion set.Attacks Involving the Mespinoza/Pyza Ransomware, CERTFR

Once the targeted network is compromised, attackers attempt to exfiltrate its accounts and passwords database. Operators also employed versions of PowerShell Empire, Koadic, and Mimikatz testing tools, to stop antivirus products.

Heimdal Official Logo
Antivirus is no longer enough to keep an organization’s systems secure.

Heimdal™ Threat Prevention - Endpoint

Is our next gen proactive shield that stops unknown threats before they reach your system.
  • Machine learning powered scans for all incoming online traffic;
  • Stops data breaches before sensitive info can be exposed to the outside;
  • Advanced DNS, HTTP and HTTPS filtering for all your endpoints;
  • Protection against data leakage, APTs, ransomware and exploits;
Try it for FREE today Offer valid only for companies.

How to Prevent and Detect Pysa Ransomware

If a device on your network becomes infected with Pysa ransomware it will begin encrypting files, which may also include remote files on network locations. To prevent such ransomware infection, I strongly advise you to:

#1. Provide proper training to all employees

It’s important to raise awareness and help your staff detect a phishing email, strengthening they should not open any attachments or web links within an alleged phishing email. In general, these emails are sent from unknown, suspicious addresses. Hackers usually mark their emails as “important” or “official” leading the victim into a false sense of security.

#2. Keep your software up to date

You should always use the functions and tools provided by official software developers, like automatic updates. Any software or files should only be downloaded from official and trustworthy sources, and through direct links. Never download updates using unofficial activation methods/tools as they can infect the systems in the activation process.

#3. Scan your operating system regularly

Your OS is the most important part of the software as its vulnerabilities affect the entire machine. Therefore, scanning and updating your OS is essential. You should do so by using a trustworthy antivirus or anti-spyware suite remembering to it up to date as well. What’s more, an operating system is a very complex program and due to this, it often has flaws which can turn into security threats. Updating your OS can help block these threats easily.

Additionally, for extra protection, you can:

  • Make sure secure configurations are applied to all devices.
  • Enable tamper protection settings in security products.
  • Use multi-factor authentication (MFA) and lockout policies, especially for administrative accounts.
  • Use administrative accounts only for necessary purposes.
  • Use remote administration services with strongly encrypted protocols that only accept connections from authorized users or locations.
  • Constantly monitor your systems for suspicious activity, so that a compromise of the network can be detected as early as possible.

Wrapping It Up…

Unfortunately, Pysa ransomware hasn’t got any security flaws in the implementation of the encryption algorithms so far. Pysa ransomware victims have been advised to report these incidents to their local FBI field office or the FBI’s Internet Crime Complaint Center (IC3).

To keep track of your privileged accounts and easily manage admin rights requests, I recommend you use a Privileged Access Management tool. Heimdal™’s PAM solution not only lets you efficiently manage user rights but also allows users to safely install software themselves while providing logs and audit trails for data protection and compliance. What’s more, it is the only tool on the market that de-escalates users’ rights upon threat discovery (when used in tandem with our Threat Prevention or Endpoint Protection modules).

Ransomware Prevention Guide: What You Need to Know

PYSA Ransomware Targets Education Institutions in US and UK, FBI Warns

A Closer Look at Ransomware Attacks: Why They Still Work

Ransomware Distribution: How One Infection Can Go Network-Wide

Leave a Reply

Your email address will not be published. Required fields are marked *