With amigos (friends) like this on the dark web, who needs enemigos (enemies)? PYSA ransomware, an acronym for Protect Your System Amigo, was one of the top four most common ransomware variants in Q2 2021. PYSA are another ransomware player of some significance, who have leaked sensitive data from almost 200 organizations. PYSA is being offered by its operators to “partners” using the Ransomware as a Service (RaaS) model. The RaaS model is popular with cyber criminals as it provides a division of labor between the ransomware authors and their partners. The operators create and update the ransomware itself, as well as any backend necessary, and the partners compromise victims’ networks, exfiltrate sensitive data and deploy the ransomware. They then split any ransom payments, with the majority going to the partners.

What Is PYSA?

PYSA has been listed in recent reports as one of the top four most common ransomware variants in Q2 2021 and has not previously been the subject of a Threat Report. PYSA ransomware is an evolution of Espinoza ransomware, which was first seen in October 2019, with the first PYSA variant surfacing in December 2019. It is offered via the common RaaS model, with the operators providing the ransomware for a cut of the profits, leaving the “partners” to compromise victim organization’s networks, exfiltrate sensitive data, deploy the ransomware and execute it.

PYSA dark web home page
PYSA dark web home page

As with most other ransomware operators, PYSA operators host a dark web site where they post sensitive data stolen from victims on the “Partners” page, the data is listed under the heading of “Something interesting from our partners”. For this Threat Report, a review of the site was performed. Please Note: No stolen data was accessed or downloaded during this review. The site, which uses the font and color scheme of an MS-DOS application, lists 189 victim organizations whose data was released, covering the period April 2020 to August 2021. For each victim, various zip files are provided for download, with the file listing for each zip file also able to be displayed. Based on the names of the files present in these zip files, there appears to be a wide variety of sensitive personal, financial, and business information. This data suggests that data exfiltration is one of the primary objectives of the PYSA operators and partners.

Partners page (Redacted)
Partners page (Redacted)
Zip contents example (Redacted)
Zip contents example (Redacted)

A review of the victim organizations listed on the dark web site shows most of them are located in the United States, with the United Kingdom, Brazil, Italy, and Canada the most common of the remaining 24 countries. A breakdown of victim organizations based on industry found Education the most common, followed by Medical, Manufacturing, Construction and Local Government. There is no evidence to determine if these target profiles apply equally to all PYSA victims, or only those who did not pay the ransom in time. The following tables list the country and industry breakdowns in full.

List of victim organizations by country
List of victim organizations by country
List of victim organizations by industry
List of victim organizations by industry

As for the ransomware itself, it does not contain any significant anti-analysis or evasion mechanisms, in fact the list of file extensions which are to be encrypted are hardcoded in plain text into the ransomware. This could be because PYSA tactics seem to place an emphasis on exfiltrating sensitive data from victim’s networks prior to deploying the ransomware. As such, the attackers will likely have visibility to which anti-virus solution is in use and can ensure that the ransomware will not be detected by that product. Therefore, the PYSA authors don’t see the need to invest large amounts of time and effort into sophisticated code. PYSA uses the Crypto++ library for cryptographic functions, rather than the common practice of using the cryptographic libraries which are part of Windows. Encrypted files are given the .pays file extension. Files which are 1KB or less in size are not encrypted, regardless of their file extension.

File extensions to encrypt hardcoded into the code
File extensions to encrypt hardcoded into the code

Rather than change the endpoint’s desktop background to an image of the ransom note, PYSA uses a novel technique. It changes the value of the LegalNoticeText and LegalNoticeCaption entries in the Windows registry so that the ransom notice is displayed at each reboot. These values are normally used to present users a notice of conditions of use for a system when logging on. The ransom note is also placed in a text document named Readme.README, dropped in every directory on the system.

Ransom note displayed as the legal notice (Redacted)
Ransom note displayed as the legal notice (Redacted)

PYSA are another ransomware player of some significance, who have leaked sensitive data from almost 200 organizations. Whether these organizations couldn’t afford to pay the ransom or recovered their data via other means, it appears the data contained in these files would constitute a data breach for each of these organizations. This is an example that the threat of releasing sensitive information is often potentially a greater motivating factor for victim organizations to pay ransoms than regaining access to encrypted files, as they may have alternative means to achieve that, such as backups.

How Does It Propagate?

The malware does not contain the necessary code to self-propagate. The most common attack vector for PYSA ransomware is brute force attacks against poorly secured, internet facing, RDP (Remote Desktop Protocol) and AD (Active Directory) servers.

When/How Did BluVector Detect It?

Fifteen recent, publicly available PYSA samples were regression tested with BluVector’s patented Machine Learning Engine (MLE) and it detected them all, with an average detection time of 31.33 months prior to their release.