Researchers Share In-Depth Analysis of PYSA Ransomware Group

An 18-month-long analysis of the PYSA ransomware operation has revealed that the cybercrime cartel followed a five-stage software development cycle from August 2020, with the malware authors prioritizing features to improve the efficiency of its workflows.

This included a user-friendly tool like a full-text search engine to facilitate the extraction of metadata and enable the threat actors to find and access victim information quickly.

“The group is known to carefully research high-value targets before launching its attacks, compromising enterprise systems and forcing organizations to pay large ransoms to restore their data,” Swiss cybersecurity company PRODAFT said in an exhaustive report published last week.

PYSA, short for “Protect Your System, Amigo” and a successor to the Mespinoza ransomware, was first observed in December 2019 and has emerged as the third most prevalent ransomware strain detected during the fourth quarter of 2021.

Since September 2020, the cybercriminal gang is believed to have exfiltrated sensitive information belonging to as many as 747 victims until its servers were taken offline earlier this January.

Most of its victims are located in the U.S. and Europe, with the group primarily striking government, healthcare, and educational sectors. “The U.S. was the most-impacted country, accounting for 59.2% of all PYSA events reported, followed by the U.K. at 13.1%,” Intel 471 noted in an analysis of ransomware attacks recorded from October to December 2021.

PYSA, like other ransomware families, is known to follow the “big game hunting” approach of double extortion, which involves publicizing the stolen information should a victim refuse to comply with the group’s demands.

Every eligible file is encrypted and given a “.pysa” extension, decoding which requires the RSA private key that can only be obtained after paying the ransom. Almost 58% of the PYSA victims are said to have made digital payments to recover access to encrypted documents. Read more:

You can also read this: Ransomware Breach Victim Numbers Fall by 25% in Q1 2022

Leave a Reply

Your email address will not be published. Required fields are marked *