PYSA Ransomware: Analysis, Detection, and Recovery

The digital landscape is fraught with perils, and among the most notorious is PYSA ransomware. Emerging in early 2020, PYSA, which stands for “Protect Your Systems Amigo,” has rapidly evolved into a significant threat to various sectors, including healthcare, education, government, and financial institutions.

What is PYSA Ransomware?

PYSA ransomware, also known as Mespinoza, is a malicious software designed to encrypt files on a victim’s computer, rendering them inaccessible. The attackers then demand a ransom in exchange for the decryption key. But PYSA doesn’t just stop there; it employs a double-extortion tactic, threatening to leak or sell the stolen data if the ransom isn’t paid, putting additional pressure on victims to comply with the demands.

How PYSA Ransomware Works

PYSA ransomware’s methodology is both sophisticated and destructive. The attackers typically gain initial access through compromised Remote Desktop Protocol (RDP) credentials, phishing emails, or brute force attacks. Once inside the network, they use a suite of tools for internal reconnaissance, such as Advanced Port Scanner and Advanced IP Scanner, and deploy WinSCP for data exfiltration to services like MEGA.NZ before encrypting the systems.

The technical details of PYSA’s encryption process are particularly alarming. It utilizes a unique KEY and IV value for each file, encrypting data in 100-byte blocks using the AES CBC Mode algorithm. The encrypted KEY and IV values are then secured with an RSA public key, ensuring that only the attackers can provide the means for decryption.

Target Demographics and Notable Attacks

PYSA ransomware has cast a wide net over its targets, with a notable focus on sectors that handle sensitive information. Educational institutions in the US and UK have been particularly hard-hit, prompting the FBI to issue specific alerts about PYSA’s increased activity. One such alert from the Cybersecurity & Infrastructure Security Agency (CISA) highlighted the threat to K-12 schools, universities, and seminaries.

Notable attacks attributed to PYSA include the disruption of financial services provider MyBudget in Australia, several American school districts, and London’s Hackney Council. These incidents underscore the ransomware’s capacity for causing widespread disruption and the importance of robust cybersecurity measures.

Distribution Techniques and Tools

The distribution of PYSA ransomware is multifaceted, often leveraging phishing campaigns and exploiting RDP servers. The attackers are known to use frameworks like Cobalt Strike to spread the ransomware within a network. Additionally, they utilize a variety of tools to facilitate their attacks, including Mimikatz for credential theft, Koadic and PowerShell for executing commands, and Chisel for tunneling.

Ransom Demands and Communication

Victims of PYSA ransomware are instructed to contact the attackers via email for payment instructions. The ransom is typically demanded in cryptocurrencies, which provide the attackers with a degree of anonymity and make the transactions difficult to trace. This use of digital currencies in ransomware attacks has contributed to a negative public perception, associating them with illicit activities.

Detection and Mitigation Strategies

Detecting PYSA ransomware involves monitoring network traffic for signs of compromise and deploying anti-malware tools. Mitigating the threat requires a proactive approach, including regular security audits and employee cybersecurity training. Advanced solutions like the SentinelOne Singularity XDR Platform can detect and stop PYSA-related activities, offering features like Repair or Rollback to restore systems to a pre-infection state.

Recovery and Prevention

Recovering from a PYSA attack without specialized software like SentinelOne’s platform involves a combination of education, strong password policies, multi-factor authentication, and regular updates and patches to systems. Establishing a comprehensive backup and disaster recovery plan is crucial for minimizing the impact of an attack.

Relation to Cryptocurrencies

The demand for ransom payments in cryptocurrency is a hallmark of PYSA ransomware operations. Cryptocurrencies offer attackers the anonymity they crave, making it challenging for law enforcement to track and recover the funds. This aspect of ransomware attacks has inadvertently tarnished the reputation of cryptocurrencies, linking them in the public eye with criminal activities despite their legitimate uses.

External Resources and Further Reading

For those looking to deepen their understanding of PYSA ransomware and enhance their cybersecurity posture, a wealth of resources is available. The Cybereason blog provides a detailed threat analysis report on PYSA, while the ConnectWise blog offers insights into how to protect against it. Additionally, CISA’s Stop Ransomware page is an excellent starting point for resources and reporting tools.


A. Indicators of Compromise (IOCs) for PYSA Ransomware

To aid in the detection and prevention of PYSA ransomware, here is a list of IOCs:

  • Executable SHA-256 hash: 7FD3000A3AFBF077589C300F90B59864EC1FB716FEBA8E288ED87291C8FDF7C3
  • Ransom note filenames: Readme.README
  • Temporary files: %TEMP%\update.bat
  • Mutex objects: Pysa
  • Email domains used for communication:,
  • Registry keys associated with the ransom note.

B. YARA-Based Detection for PYSA

Security professionals can use the following YARA rule to detect PYSA ransomware on their systems:

rule PYSA_Ransomware {
        description = "Detects PYSA Ransomware"
        author = "Your Name"
        reference = "Add reference here"
        $pysa_file_extension = ".pysa" ascii wide
        $pysa_ransom_note = "Readme.README" ascii wide
        $pysa_email = /contact\@protonmail\.com/ ascii wide
        any of them

C. Contact Information for Reporting Ransomware Incidents

If you suspect a PYSA ransomware incident, contact the appropriate authorities immediately. The CISA report ransomware page provides guidance on reporting, and the FBI’s Internet Crime Complaint Center (IC3) is another valuable resource for reporting cyber incidents.


PYSA ransomware represents a sophisticated and evolving threat that requires vigilance and proactive measures to combat. Understanding its mechanisms, staying informed through resources, and employing robust cybersecurity practices are essential steps in protecting against this and other ransomware variants.

By leveraging the information and strategies outlined in this article, organizations and individuals can fortify their defenses against the PYSA ransomware threat. Remember, cybersecurity is a continuous process, and staying ahead of threats like PYSA is critical in our interconnected digital world.


To ensure clarity, here’s a brief glossary of terms used throughout the article:

  • RDP (Remote Desktop Protocol): A proprietary protocol developed by Microsoft that provides a user with a graphical interface to connect to another computer over a network connection.
  • Phishing: A cybercrime in which targets are contacted by email, telephone, or text message by someone posing as a legitimate institution to lure individuals into providing sensitive data.
  • Double-Extortion: A ransomware tactic where attackers not only encrypt data but also threaten to publish it if the ransom is not paid.
  • Cobalt Strike: A legitimate security tool often used by attackers to gain a foothold on networks and deliver payloads like ransomware.