Here’s What We Know About PYSA Ransomware


PYSA ransomware is a piece of malware from an unknown APT group. It attacks what the FBI calls “soft targets” such as schools, nursing homes, and hospitals. Here’s what we know about this tool, according to a report from Mimecast.

PYSA Ransomware

An advanced persistence threat (APT) group are sophisticated entities that are either nation state actors or sponsored by one. They are designated by numbers; for example the group tracked as APT28 is known by recognizable names such as Fancy Bear.

The PYSA ransomware is a variant of the strain known as Mespinoza and is Ransomware as a Service (RaaS) that the attackers sell access to. According to Kroll it has been active since 2019 and observers noted an increase of attacks in the second half of 2021. The group does not restrict itself to specific geographic areas or industries, although 55% of victims have been located within the United States.

PYSA typically targets high-level institutions and it acts in a similar manner to other ransomware tools Sodinokibi and Ryuk. The most common sector appears to be education, but other victims include those in manufacturing, medical, construction, transport, retail, and local governments.

The malware gets into a system through phishing scams, RDP attacks, or brute-force attacks. Once inside, it steals account credentials, financial data, legal documents, and other forms of sensitive information.¬†Then, as is typical of ransomware, it encrypts the machines on the network and the attackers demand money to decrypt the data, typically in the form of cryptocurrency. The data is posted to a website controlled by the group that displays the slogan “Protect Your System Amigo.”


Kroll shared three mitigations that they believe can help stave off attacks from PYSA ransomware. These involve keeping Remote Desktop Protocol (RDP) secure.

  • Understand Your Internet Footprint. Conduct regular assessments of what services are exposed to the internet. Ideally this should be done by an independent third party to ensure a thorough check.
  • Secure RDP Connections. This can be done by having all RDP services run through a VPN.
  • Enable Network Level Authentication (NLA) for RDP. NLA requires authentication before a session being established.

PYSA makes use of PowerShell scripts as part of its operation on victim machines.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.