Content, Channel partners, Content, Ransomware

PYSA Ransomware Attacks: Here’s What MSSPs Need to Know

Cybercrime, piracy and data theft. Network security breach. Compromised computer showing skull and bones symbol. Digital 3D rendering concept.

Cybercriminals are using PYSA ransomware to target government agencies, educational institutions and the healthcare sector, according to a report from cyber threat intelligence company Prodaft.

In its report, Prodaft conducted a 16-month investigation of the PYSA cybercrime group dating back to September 2020. Key takeaways from Prodaft's report include:

  • There were periods in which PYSA cybercriminals attacked up to 90 different victims per month.
  • Since September 2020, the PYSA team has exfiltrated data from 747 victims.
  • PYSA released the confidential files of 309 victims in its public leak server.
  • Almost 58 percent of PYSA victims paid a ransom.

The report also provided insights into how PYSA and how cybercriminals use the ransomware to target and attack victims, including:

  • PYSA originally appeared in late 2019 and may be a successor to the Mespinoza ransomware strain.
  • PYSA threat actors may be using a "professional development cycle" that enables them to develop and deploy new ransomware functionalities on a regular basis.
  • If PYSA victims do not comply with a cybercriminal's demands, the victim's data is published on a public leak server.
  • PYSA operators manage a publicly available .git folder that anyone can access and extract files that reside in the repository. Prodaft indicated the folder "is not an intentional decoy, but a genuine tool forgotten by a careless PYSA team member."
  • Once PYSA team members encrypt a victim's system, they try to intimidate the victim to pay a ransom. At this time, team members show the victim that their data has been compromised. They also use a full-text search engine that extracts metadata and makes victim information easy to access and view.
  • The PYSA team has used an Amazon S3 cloud infrastructure account to store their encrypted files.
  • There are at least 11 active users representing individual threat actors with different privilege levels in PYSA's management system.

PYSA is a highly manual ransomware operator that focuses exclusively on high-value targets, Prodaft indicated. Going forward, PYSA cybercriminals may prioritize automation and workflow efficiency as they seek out ways to improve the ransomware's capabilities.

Meanwhile, MSSPs can help organizations prepare for PYSA and other types of ransomware. By teaching organizations about ransomware and other cyberthreats and offering managed security services, MSSPs can ensure these organizations can optimize their security posture.

Dan Kobialka

Dan Kobialka is senior contributing editor, MSSP Alert and ChannelE2E. He covers IT security, IT service provider business strategies and partner programs. Dan holds a M.A. in Print and Multimedia Journalism from Emerson College and a B.A. in English from Bridgewater State University. In his free time, Dan enjoys jogging, traveling, playing sports, touring breweries and watching football.