Your IP: Unknown · Your Status: ProtectedUnprotectedUnknown
Blog News

What is Pysa ransomware?

Pysa ransomware was first spotted in 2019 and quickly became one of the most notorious cyber threats online. It targets higher education institutions, healthcare providers, and private companies in the US and beyond. How dangerous is Pysa, and how can you spot it?

Karolis Bareckas

Karolis Bareckas

Dec 14, 2021 · 4 min read

What is Pysa ransomware?

How does Pysa ransomware work?

Pysa stands for “Protect your system amigo”, which is a sentence included in a ransom note left on infected devices. Hackers use phishing emails, brute-force attacks on servers in which RDP (Remote Desktop Protocol) or AD (Active Directory) is open to the internet, and social engineering techniques to spread Pysa ransomware and lock victims out of their files.

Pysa is categorized as a ransomware-as-a-service (RaaS), which means that its developers offer ransomware for other criminal organizations that usually don’t have capabilities of producing their own malicious programs. The previous version of this ransomware was known as Mespinoza.

Bad actors behind Pysa target high-value organizations like government institutions or healthcare providers that are more sensitive to timing. Imagine if a hospital was locked out of its patients’ data and couldn’t access its IT systems. Every wasted minute could be fatal and lead to damaged reputation, financial losses, and lawsuits.

When Pysa encrypts your files, they all acquire the .pysa filename extension. Let’s say you have a file called “cat.avi”. After your device is infected with ransomware, the filename will change to “cat.avi.pysa”. Hackers also leave instructions on how to retrieve your files in a .txt file, which contains an email you need to contact.

Victims are also allowed to send two files (no more than 2 MB) to criminals, so they can decrypt them and prove that their ransom demands are serious.

How does Pysa encrypt your files?

Pysa encrypts all non-system files using AES encryption combined with RSA. Even if you delete the ransomware from your computer and restore your system, your files will still be inaccessible.

Before encrypting your files, hackers steal all sensitive data from the targeted computer, so they have leverage against you. If you refuse to meet ransom demands, they can dump all the stolen data on the dark web.

However, you can never be sure if hackers will decrypt your files even after paying them. Cybersecurity experts discourage people from paying criminals and feeding their business model.

The most notorious Pysa ransomware attacks

  • In May 2020, MyBudget, an Australian financial services company, was hit by Pysa and went out of service for almost two weeks. Criminals posted MyBudget’s name on the dark web along with those of other businesses they successfully hacked, pressuring them to pay the ransom. The company’s name was later removed from the dark web, suggesting that they negotiated with hackers and met their demands.
  • In October 2020, Hackney Council in London confirmed it had been a victim of a Pysa ransomware attack, which affected its IT services. Several months later, criminals dumped a bunch of their stolen data online, containing passport details, photo IDs, and staff information.
  • In April 2021, Haverhill Public Schools in Massachusetts were closed after Pysa ransomware attacked their computer systems. Public schools are especially vulnerable to cyber attacks, as many of them use outdated software and their staff lack cybersecurity training. The FBI claims that Pysa has been used against a number of schools in the US and the UK and continues to search for new victims.

How to improve your security

Train your staff. Raising awareness among your employees about phishing emails and ransomware is key to successfully fighting cyber criminals. Many organizations conduct phishing simulations, so their employees can learn how to identify malicious emails.

Update your software on time. Postponing software updates can put a device at serious risk, as criminals might exploit a bug that was fixed months ago. Even in global corporations you can still find employees running old versions of software that should have been updated multiple times.

Use strong passwords. Make sure to use uppercase and lowercase letters combined with special characters and numbers in your passwords. It’s important to create unique passwords for all your accounts, as one compromised account could open the gates to all the services you use.

Backup your files. Many people think nothing will even happen to them until it does. Don’t take unnecessary risks and always back up your sensitive data. You can never be sure if you won’t end up with malware, ransomware, or any other malicious program on your computer.

Use a VPN. A VPN redirects your internet data through an encrypted tunnel, thus improving your online security. If you often connect to public networks, having a VPN enabled on your device is crucial for staying safe. With one NordVPN account, you can protect up to six different devices: laptops, tablets, smartphones, and more. NordVPN has more than 5,200 servers in 60 countries, providing users with the best speeds in the VPN industry. While a VPN won’t directly protect against malware infection, it will raise overall security substantially.

Businesses can also benefit from NordLayer, which allows employees to securely access their company’s data and online resources.

Online security starts with a click.

Stay safe with the world’s leading VPN