PYSA Ransomware

PYSA Ransomware

Introduction: PYSA Ransomware, also known as Pysa Partners or Mespinoza, made its debut in early 2020, and its acronym stands for “Protect Your Systems Amigo.” This analysis provides an in-depth exploration of PYSA Ransomware, encompassing its emergence, target sectors, spreading mechanisms, technical intricacies, detection strategies, mitigation measures, and removal processes.

PYSA Ransomware Overview:

  • Emergence:
    • Emerged in early 2020.
    • Operates as a double-extortion ransomware threat, exfiltrating sensitive data from non-compliant victims.
    • Known for meticulous target selection and thorough research during attacks.

Targets:

  • Primary Sectors:
    • Targets healthcare, government, financial institutions.
    • Notably heavy targeting of educational institutions.

Spread Mechanisms:

  • Delivery Methods:
    • Delivered through Cobalt Strike or similar frameworks.
    • Spread via phishing campaigns.
    • Initial access via exposed RDP servers, utilizing tools like Advanced Port Scanner and Advanced IP Scanner for internal reconnaissance.

Technical Details:

  • Initial Access:
    • Gained through RDP exploits and brute force attacks.
    • Delivery also observed through phishing emails.
  • Exfiltration Tools:
    • Utilizes WinSCP for data exfiltration.
    • Employs Advanced Port Scanner and Advanced IP Scanner for reconnaissance.
    • Tools like Mimikatz, Koadic, PowerShell, and Chisel frequently observed.
    • Attempts to disable Windows Defender via Local Group Policy Editor.
  • Encryption Process:
    • Generates unique KEY and IV values for each file.
    • Utilizes AutoSeededRandomPool for random key generation.
    • Encrypts files in blocks of 100 bytes using AES CBC Mode algorithm.
    • Uses an RSA public key to encrypt both KEY and IV values.
  • Data Exfiltration:
    • Data exfiltrated to the MEGA.NZ service.

Detection Strategies:

  • EDR is proficient in identifying and stopping malicious activities and artifacts associated with PYSA Ransomware.

Mitigation Measures:

  • EDR facilitates system restoration through Repair or Rollback features.

Removal Process:

  • EDR customers are protected from PYSA Ransomware, with no manual updates required. In cases where the policy was set to Detect Only and a device is infected, EDR ‘s unique rollback capability removes the infection and restores files to their original state.

Incident Response:

  1. Detection:
    • Identify signs of PYSA ransomware through security tools and network monitoring.
  2. Isolation:
    • Disconnect infected devices from the network to prevent further spread.
  3. Removal:
    • Run a malware scan using anti-malware tools to eliminate PYSA ransomware.
  4. Restoration:
    • Restore encrypted files from backups for data recovery.
  5. Expert Consultation:
    • Seek assistance from security experts for a comprehensive assessment and prevention of future attacks.

Proactive Measures:

  • Employee Education: Raise awareness among employees about ransomware risks and phishing threats.
  • Strong Passwords: Implement strong, unique passwords with regular updates.
  • Multi-Factor Authentication: Enable MFA for an additional layer of security.
  • Systems Update: Regularly update and patch systems to fix vulnerabilities.
  • Backup and Recovery: Implement a robust backup and disaster recovery plan, regularly testing backups for efficacy.
Back

Copyright © 2024 RASOC all rights reserved