S0583 Pysa
Pysa is a ransomware that was first used in October 2018 and has been seen to target particularly high-value finance, government and healthcare organizations.1
| Item | Value |
|---|---|
| ID | S0583 |
| Associated Names | Mespinoza |
| Type | MALWARE |
| Version | 1.0 |
| Created | 01 March 2021 |
| Last Modified | 27 April 2021 |
| Navigation Layer | View In ATT&CK® Navigator |
Associated Software Descriptions
| Name | Description |
|---|---|
| Mespinoza | 123 |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1110 | Brute Force | Pysa has used brute force attempts against a central management console, as well as some Active Directory accounts.1 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.001 | PowerShell | Pysa has used Powershell scripts to deploy its ransomware.1 |
| enterprise | T1059.006 | Python | Pysa has used Python scripts to deploy ransomware.1 |
| enterprise | T1486 | Data Encrypted for Impact | Pysa has used RSA and AES-CBC encryption algorithm to encrypt a list of targeted file extensions.1 |
| enterprise | T1562 | Impair Defenses | - |
| enterprise | T1562.001 | Disable or Modify Tools | Pysa has the capability to stop antivirus services and disable Windows Defender.1 |
| enterprise | T1070 | Indicator Removal | - |
| enterprise | T1070.004 | File Deletion | Pysa has deleted batch files after execution. 1 |
| enterprise | T1490 | Inhibit System Recovery | Pysa has the functionality to delete shadow copies.1 |
| enterprise | T1036 | Masquerading | - |
| enterprise | T1036.005 | Match Legitimate Name or Location | Pysa has executed a malicious executable by naming it svchost.exe.1 |
| enterprise | T1112 | Modify Registry | Pysa has modified the registry key “SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System” and added the ransom note.1 |
| enterprise | T1046 | Network Service Discovery | Pysa can perform network reconnaissance using the Advanced Port Scanner tool.1 |
| enterprise | T1003 | OS Credential Dumping | - |
| enterprise | T1003.001 | LSASS Memory | Pysa can perform OS credential dumping using Mimikatz.1 |
| enterprise | T1021 | Remote Services | - |
| enterprise | T1021.001 | Remote Desktop Protocol | Pysa has laterally moved using RDP connections.1 |
| enterprise | T1489 | Service Stop | Pysa can stop services and processes.1 |
| enterprise | T1016 | System Network Configuration Discovery | Pysa can perform network reconnaissance using the Advanced IP Scanner tool.1 |
| enterprise | T1569 | System Services | - |
| enterprise | T1569.002 | Service Execution | Pysa has used PsExec to copy and execute the ransomware.1 |
| enterprise | T1552 | Unsecured Credentials | - |
| enterprise | T1552.001 | Credentials In Files | Pysa has extracted credentials from the password database before encrypting the files.1 |
References
-
CERT-FR. (2020, April 1). ATTACKS INVOLVING THE MESPINOZA/PYSA RANSOMWARE. Retrieved March 1, 2021. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
THe DFIR Report. (2020, November 23). PYSA/Mespinoza Ransomware. Retrieved March 17, 2021. ↩
-
NHS Digital. (2020, October 10). Pysa Ransomware: Another ‘big-game hunter’ ransomware. Retrieved March 17, 2021. ↩