Cybercriminals are using PYSA ransomware to target government agencies, educational institutions and the healthcare sector, according to a report from cyber threat intelligence company Prodaft.
In its report, Prodaft conducted a 16-month investigation of the PYSA cybercrime group dating back to September 2020. Key takeaways from Prodaft's report include:
- There were periods in which PYSA cybercriminals attacked up to 90 different victims per month.
- Since September 2020, the PYSA team has exfiltrated data from 747 victims.
- PYSA released the confidential files of 309 victims in its public leak server.
- Almost 58 percent of PYSA victims paid a ransom.
The report also provided insights into how PYSA and how cybercriminals use the ransomware to target and attack victims, including:
- PYSA originally appeared in late 2019 and may be a successor to the Mespinoza ransomware strain.
- PYSA threat actors may be using a "professional development cycle" that enables them to develop and deploy new ransomware functionalities on a regular basis.
- If PYSA victims do not comply with a cybercriminal's demands, the victim's data is published on a public leak server.
- PYSA operators manage a publicly available .git folder that anyone can access and extract files that reside in the repository. Prodaft indicated the folder "is not an intentional decoy, but a genuine tool forgotten by a careless PYSA team member."
- Once PYSA team members encrypt a victim's system, they try to intimidate the victim to pay a ransom. At this time, team members show the victim that their data has been compromised. They also use a full-text search engine that extracts metadata and makes victim information easy to access and view.
- The PYSA team has used an Amazon S3 cloud infrastructure account to store their encrypted files.
- There are at least 11 active users representing individual threat actors with different privilege levels in PYSA's management system.
PYSA is a highly manual ransomware operator that focuses exclusively on high-value targets, Prodaft indicated. Going forward, PYSA cybercriminals may prioritize automation and workflow efficiency as they seek out ways to improve the ransomware's capabilities.
Meanwhile, MSSPs can help organizations prepare for PYSA and other types of ransomware. By teaching organizations about ransomware and other cyberthreats and offering managed security services, MSSPs can ensure these organizations can optimize their security posture.