Connect with us

Hi, what are you looking for?


Analysis shows details of PYSA ransomware, one of the most active threats of 2021

Security company ESET has carried out an in-depth analysis of PYSA (acronym for Protect Your System Amigo) ransomware, which often requests payment of ransoms in cryptocurrencies to gain access to files.

  • Raspberry Pi can detect malware from electromagnetic waves
  • What is ransomware? Learn all about the threat and how to remove it

PYSA ransomware is a threat operating under the Ransomware-as-a-Service (RaaS) model that emerged in December 2019 and gained notoriety during late 2020 like many other threats.

The fact that PYSA works as a RaaS implies that the developers of this ransomware recruit affiliates responsible for distributing the threat in exchange for a percentage of the profits made from the payments that victims make to recover their files from encryption.

CT on Flipboard : You can now subscribe to A Market Analysis magazines for free on Flipboard on iOS and Android and follow all the news on your favorite news aggregator.

In addition to the ransom collection, PYSA implements money extortion techniques from the victim who does not agree to the payment, such as file exfiltration and cold calling (phone calls that put pressure on companies). Among its victims are organizations from Argentina, Brazil, Colombia and Mexico.

The operators behind PYSA have a dark web site that is updated with information about their most recent victims, as well as the exfiltrated files of companies that failed to pay. And, according to the website Darktracer, the ransomware had already claimed 307 victims in its entire history of operation, in countries such as Spain, Argentina, Brazil, Colombia and Mexico.

Operation mode

PYSA was very active in 2021. (Image: Reproduction/ESET)

Unlike other well-known ransomware families, PYSA does not automatically exploit technical vulnerabilities. Instead, the attacks seek to gain access to their victims' systems, often through phishing emails tailored to the targets or brute force attacks against publicly exposed systems unprotected with the RDP protocol.

Furthermore, and before downloading ransomware onto victim's system, operators behind PYSA use penetration testing related tools to perform reconnaissance tasks inside systems to gather other credentials, escalate privileges, move laterally on compromised networks, etc. .

Upon execution, PYSA creates a mutex (logical key to release or prevent specific actions) to ensure that there are no other instances of the ransomware running on the same computer. If it already exists, the threat terminates its execution to prevent possible double encryption of the victim's files. If it continues to run, the threat follows a very specific list of steps:

  • Creates threads that will take care of the encryption mechanism;
  • Modifies system registries so that the ransom note shown to the victim is opened every time the computer is booted;
  • Prepare a script, called update.bat, and remove any trace of the threat in terms of files;
  • Scans the computer's file system and generates two lists, called whitelist and blacklist, to control which documents will and will not be encrypted;
  • It encrypts the contents of the "Whitelist" list and does not modify these blacklisted files.

How to protect yourself from PYSA

To protect yourself from the PYSA ransomware threat, ESET recommends the following steps:

  • Avoid opening suspicious communications that arrive by email or messages on social networks and not interacting with files or websites attached to them;
  • Correctly configure Remote Desktop Protocols (RDP) and disable those that are not needed;
  • Implement strong passwords and two-factor authentication across all possible technologies to prevent brute force attacks;
  • Download programs and files from official and trusted sources;
  • Use a reliable security solution and keep it up to date;
  • Make backups of critical or irreplaceable information regularly.

Read the article on A Market Analysis .

Trending on A Market Analysis:

  • Judge orders Facebook to pay BRL 44,000 to victims of WhatsApp scam
  • Galaxy A52s 5G Review | Samsung got it right with a phone that surprises
  • 5 cell phones on offer in Magalu
  • Most IT professionals focus on just one programming language
  • 10 ideas for building in Minecraft

You May Also Like