Experts Analyzed the Activities of the PYSA Cyber-Extortion Group

PYSA cyber-extortion group

Specialists from the Swiss cybersecurity company PRODAFT have published the results of an 18-month study on the PYSA cyber-extortion group.

PYSA (an acronym for “Protect Your System, Amigo”) is the successor to Mespinoza ransomware.

Note: Let me remind you that we also said that Lapsus$ hack group stole the source codes of Microsoft products.

The malware was first discovered in December 2019 and was the fourth most used ransomware in the last quarter of 2021.

Since September 2020, the group has stolen confidential information from 747 victims. In January 2022, her servers were taken down.

PYSA cyber-extortion group

According to Intel 471, the majority of victims are in the US (59.2% of all PYSA attacks) and the UK (13.1%). Most often, PYSA attacked government, educational and health organizations.

The group is known to carefully research high-value targets before launching its attacks, compromising enterprise systems and forcing organizations to pay large ransoms to restore their data. They are listed as one of the most advanced ransomware groups that carry out their operations off the radar.PRODAFT researchers note.

Like other cyber-ransomware groups, PYSA used a double extortion tactic, releasing the victim’s stolen files if they refused to pay the ransom.

The malware encrypted files by adding the .pysa extension. To decrypt them, a private RSA key was required, which could only be obtained by paying a ransom to the extortionists. Almost 58% of the victims who paid the required amount were able to restore access to their files.

Note: You might also be interested to know what Experts linked BlackCat (ALPHV) ransomware to BlackMatter and DarkSide groups.

PRODAFT specialists managed to find a publicly accessible .git folder managed by PYSA operators and found out the login of one of the project authors – [email protected].

The PYSA operation involved at least 11 accounts, most of which were created on January 8, 2021. 90% of all activity in the malware control panel was accounted for by four accounts – t1, t3, t4 and t5.

The PYSA infrastructure also included docker containers, including public leak servers, databases, and command and control servers, as well as an Amazon S3 cloud for storing encrypted files.

Grouping is supported by competent developers applying modern operational paradigms to the development cycle. This indicates a professional environment with a well-organized distribution of responsibilities, rather than a poorly connected network of semi-autonomous hackers.the researchers said.

By Vladimir Krasnogolovy

Vladimir is a technical specialist who loves giving qualified advices and tips on GridinSoft's products. He's available 24/7 to assist you in any question regarding internet security.

View all of Vladimir Krasnogolovy's posts.

Leave a comment

Your email address will not be published. Required fields are marked *