What Is Pysa Ransomware?
How It Works: Tactics and Techniques. How to Prevent and Detect Pysa Ransomware.
Recently, there have been several ransomware attacks that have targeted a range of sectors including law enforcement, government, healthcare, and finance. All were the victims of Pysa ransomware attacks. According to cybersecurity analysts, Pysa is a variant of the Mespinoza ransomware family and has been active since at least October 2019. This new version uses the .pysa file extension, giving the ransomware its name.
The malicious software exfiltrates sensitive information before encryption and uses the stolen data to force the victim to pay a ransom in exchange for the files.
How It Works: Tactics and Techniques
There are various ways in which Pysa is being distributed. One of them is by brute-force attacks on exposed Active Directory services or similar management interfaces, but it’s also delivered in spam or through phishing email campaigns.
Once it’s delivered, the ransomware will try to exfiltrate sensitive information (usernames, passwords, databases, internal business files) before proceeding to encrypt all accessible non-system files via AES implementations. The Pysa ransomware will ensure a large variety of popular file types (.mp3, .mp4. .png, .jpg, .docx, .pptx, .xlsx, .rar) are encrypted.
The stolen data will eventually be used to extort affected parties into meeting the attackers’ ransom demands. Thus, victims cannot regain access to their files unless they decrypt them with a specific decryption tool or key. Organizations or individuals who do not give in to the hackers’ demands will have their information leaked on a website controlled by Pysa operators.
— GrujaRS (@GrujaRS) January 5, 2021
Initially, this version was being used to target large organizations in an attempt to maximize the attackers’ skills, but alerts issued by the FBI, NHS, and CERTFR, warn that, similar to Ryuk and Maze, Pysa ransomware is targeting local government agencies, educational institutions, private companies, and the healthcare sector.
Once the targeted network is compromised, attackers attempt to exfiltrate its accounts and passwords database. Operators also employed versions of PowerShell Empire, Koadic, and Mimikatz testing tools, to stop antivirus products.
Heimdal™ Threat Prevention - Endpoint
- Machine learning powered scans for all incoming online traffic;
- Stops data breaches before sensitive info can be exposed to the outside;
- Advanced DNS, HTTP and HTTPS filtering for all your endpoints;
- Protection against data leakage, APTs, ransomware and exploits;
How to Prevent and Detect Pysa Ransomware
If a device on your network becomes infected with Pysa ransomware it will begin encrypting files, which may also include remote files on network locations. To prevent such ransomware infection, I strongly advise you to:
#1. Provide proper training to all employees
It’s important to raise awareness and help your staff detect a phishing email, strengthening they should not open any attachments or web links within an alleged phishing email. In general, these emails are sent from unknown, suspicious addresses. Hackers usually mark their emails as “important” or “official” leading the victim into a false sense of security.
#2. Keep your software up to date
You should always use the functions and tools provided by official software developers, like automatic updates. Any software or files should only be downloaded from official and trustworthy sources, and through direct links. Never download updates using unofficial activation methods/tools as they can infect the systems in the activation process.
#3. Scan your operating system regularly
Your OS is the most important part of the software as its vulnerabilities affect the entire machine. Therefore, scanning and updating your OS is essential. You should do so by using a trustworthy antivirus or anti-spyware suite remembering to it up to date as well. What’s more, an operating system is a very complex program and due to this, it often has flaws which can turn into security threats. Updating your OS can help block these threats easily.
Additionally, for extra protection, you can:
- Make sure secure configurations are applied to all devices.
- Enable tamper protection settings in security products.
- Use multi-factor authentication (MFA) and lockout policies, especially for administrative accounts.
- Use administrative accounts only for necessary purposes.
- Use remote administration services with strongly encrypted protocols that only accept connections from authorized users or locations.
- Constantly monitor your systems for suspicious activity, so that a compromise of the network can be detected as early as possible.
Wrapping It Up…
Unfortunately, Pysa ransomware hasn’t got any security flaws in the implementation of the encryption algorithms so far. Pysa ransomware victims have been advised to report these incidents to their local FBI field office or the FBI’s Internet Crime Complaint Center (IC3).
To keep track of your privileged accounts and easily manage admin rights requests, I recommend you use a Privileged Access Management tool. Heimdal™’s PAM solution not only lets you efficiently manage user rights but also allows users to safely install software themselves while providing logs and audit trails for data protection and compliance. What’s more, it is the only tool on the market that de-escalates users’ rights upon threat discovery (when used in tandem with our Threat Prevention or Endpoint Protection modules).