Skip to content

S0583 Pysa

Pysa is a ransomware that was first used in October 2018 and has been seen to target particularly high-value finance, government and healthcare organizations.1

Item Value
ID S0583
Associated Names Mespinoza
Type MALWARE
Version 1.0
Created 01 March 2021
Last Modified 27 April 2021
Navigation Layer View In ATT&CK® Navigator

Associated Software Descriptions

Name Description
Mespinoza 123

Techniques Used

Domain ID Name Use
enterprise T1110 Brute Force Pysa has used brute force attempts against a central management console, as well as some Active Directory accounts.1
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell Pysa has used Powershell scripts to deploy its ransomware.1
enterprise T1059.006 Python Pysa has used Python scripts to deploy ransomware.1
enterprise T1486 Data Encrypted for Impact Pysa has used RSA and AES-CBC encryption algorithm to encrypt a list of targeted file extensions.1
enterprise T1562 Impair Defenses -
enterprise T1562.001 Disable or Modify Tools Pysa has the capability to stop antivirus services and disable Windows Defender.1
enterprise T1070 Indicator Removal -
enterprise T1070.004 File Deletion Pysa has deleted batch files after execution. 1
enterprise T1490 Inhibit System Recovery Pysa has the functionality to delete shadow copies.1
enterprise T1036 Masquerading -
enterprise T1036.005 Match Legitimate Name or Location Pysa has executed a malicious executable by naming it svchost.exe.1
enterprise T1112 Modify Registry Pysa has modified the registry key “SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System” and added the ransom note.1
enterprise T1046 Network Service Discovery Pysa can perform network reconnaissance using the Advanced Port Scanner tool.1
enterprise T1003 OS Credential Dumping -
enterprise T1003.001 LSASS Memory Pysa can perform OS credential dumping using Mimikatz.1
enterprise T1021 Remote Services -
enterprise T1021.001 Remote Desktop Protocol Pysa has laterally moved using RDP connections.1
enterprise T1489 Service Stop Pysa can stop services and processes.1
enterprise T1016 System Network Configuration Discovery Pysa can perform network reconnaissance using the Advanced IP Scanner tool.1
enterprise T1569 System Services -
enterprise T1569.002 Service Execution Pysa has used PsExec to copy and execute the ransomware.1
enterprise T1552 Unsecured Credentials -
enterprise T1552.001 Credentials In Files Pysa has extracted credentials from the password database before encrypting the files.1

References