Recently specialists from PRODAFT (Proactive Defense Against Future Threats) published an extensive report about the infamous ransomware variant PYSA. The detailed information in the report ” PYSA (Mespinoza) In-depth analysis” covers quite an interesting even for the general public range of questions.
As a fact:The report was prepared by the PTI team of the company and last updated on April 11, 2022. The investigation date took place between September 25, 2020 and January 15, 2022. The initial report date is September the 27, 2020.
We will provide you with the most interesting excerpts from the research but for the true geeks at heart, there’s also the original report available.
The group behind PYSA has been listed as one of the most advanced ransomware groups that secretly and successfully carries its high value attacks. According to the known facts, they target only healthcare sectors, educational institutions and government agencies. It is important to recall that the introduction of ransomware is one of the most dangerous forms of cyber attacks in today’s 2022 world.
Before launching its attacks the PYSA criminals will conduct thorough research of their future victims. After this, they will compromise the enterprise’s systems and force the target to pay a large sum of ransom for the restoration of data.
Cybersecurity specialists connect this ransomware variant to the well-known Mespinoza example. In fact, threat intelligence professionals widely believe that the same individuals operate both variants.
PYSA operators are regarded as one of the most competent cybercriminals among others. But because they are also humans and humans make mistakes — some of the operational security mistakes that gang members did allowed researchers to take an exclusive sneak peek into criminal’s technologies and internal operations.
NOTE: Therefore, find a ransomware protection tool that is convenient for you to protect yourself in case of attacks.
But the investigation started around September 2020. The analysis of the infrastructure used by PYSA operators lasted for 16 month; researchers tried to obtain every possible detail of it. PYSA servers were taken offline around January-February 2022.
First time cybersecurity specialists detected both Mespinoza and PYSA in late 2019. PYSA, being seemingly the successor to Mespinoza, had a professional development cycle. Cybersecurity specialists note that from the last nearly two year period the ransomware got quite useful new functionalities like full-text search capabilities.
Short Information About PYSA Infrastructure
PYSA operators use a number of dockerized containers that include management servers, database and public leak servers. The containers are connected via internal networking on the same dedicated server.
Since December 2021 threat actors have been developing new management servers. Cybersecurity specialists assume this was done to address some scalability issues of the ransom process. In this system each member of the gang received the assignment of a different management server.
The team deploys external work queues like Amazon Simple Queue Service (SQS) for the management of the workflow that has been assigned to each gang member.
Ransomware Software Analysis
PYSA ransomware moves recursively between hard drives and looks for the eligible files to encrypt. On every new directory visit the executable starts a new thread for a new encryption routine and subsequently puts a README ransom note in each directory.
But in order to keep the system functioning it avoids encrypting the executable files with necessary system files. The malware has hard coded extensions that don’t allow the encryption of the specific files during the encryption algorithm. Every encrypted file receives the ”.pysa” extension.
1) The ransomware generates a KEY and an IV value for each file. AutoSeededRandomPool does the key generation. This randomly generated key is later used for file encryption with the AES CBC Mode algorithm.
2) PYSA encrypts files in blocks of 100 bytes. After successfully encrypting the file the ransomware begins with the encryption of both KEY and IV values with an RSA public key. Threat actors will need this information later for the decryption.
At the beginning of the file ransomware puts the encrypted KEY and IV values there. The malware stores the RSA public key in encoded format.
The decryption software also recursively runs through each file. For every file it retrieves input previously encrypted AES CBC Mode algorithm parameters. With the help of RSA private key it decrypts KEY and IV values. Once the necessary parameters is met the decryption software restores file content and replaces each filename with it’s original extension.
In addition to the the information above, the report also covers statistics on victims and threat actor activity. It gives further details onto each PYSA’s technical capabilities including management system and public server.
It’s worth to mention, in the paragraph “Author Profiling and Linguistic Evidence” researchers give an explanation of AUCH (Autorenprofile für die Untersuchung von Cyberkriminalität CH) works helping to analyze the language of cybercriminals. On the example of PYSA operators’ communication they showed exactly how the thing do it’s task.