Pysa is a ransomware that was first used in October 2018 and has been seen to target particularly high-value finance, government and healthcare organizations.[1]

ID: S0583
Associated Software: Mespinoza
Platforms: Windows
Contributors: Daniyal Naeem, BT Security
Version: 1.0
Created: 01 March 2021
Last Modified: 27 April 2021

Associated Software Descriptions

Name Description


Techniques Used

Domain ID Name Use
Enterprise T1110 Brute Force

Pysa has used brute force attempts against a central management console, as well as some Active Directory accounts.[1]

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

Pysa has used Powershell scripts to deploy its ransomware.[1]

.006 Command and Scripting Interpreter: Python

Pysa has used Python scripts to deploy ransomware.[1]

Enterprise T1486 Data Encrypted for Impact

Pysa has used RSA and AES-CBC encryption algorithm to encrypt a list of targeted file extensions.[1]

Enterprise T1562 .001 Impair Defenses: Disable or Modify Tools

Pysa has the capability to stop antivirus services and disable Windows Defender.[1]

Enterprise T1070 .004 Indicator Removal: File Deletion

Pysa has deleted batch files after execution. [1]

Enterprise T1490 Inhibit System Recovery

Pysa has the functionality to delete shadow copies.[1]

Enterprise T1036 .005 Masquerading: Match Legitimate Name or Location

Pysa has executed a malicious executable by naming it svchost.exe.[1]

Enterprise T1112 Modify Registry

Pysa has modified the registry key "SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" and added the ransom note.[1]

Enterprise T1046 Network Service Discovery

Pysa can perform network reconnaissance using the Advanced Port Scanner tool.[1]

Enterprise T1003 .001 OS Credential Dumping: LSASS Memory

Pysa can perform OS credential dumping using Mimikatz.[1]

Enterprise T1021 .001 Remote Services: Remote Desktop Protocol

Pysa has laterally moved using RDP connections.[1]

Enterprise T1489 Service Stop

Pysa can stop services and processes.[1]

Enterprise T1016 System Network Configuration Discovery

Pysa can perform network reconnaissance using the Advanced IP Scanner tool.[1]

Enterprise T1569 .002 System Services: Service Execution

Pysa has used PsExec to copy and execute the ransomware.[1]

Enterprise T1552 .001 Unsecured Credentials: Credentials In Files

Pysa has extracted credentials from the password database before encrypting the files.[1]