The Cybereason Global Security Operations Center (GSOC) issues Cybereason Threat Analysis reports to inform on impacting threats. The Threat Analysis reports investigate these threats and provide practical recommendations for protecting against them.
In this Threat Analysis Report, the GSOC investigates the PYSA ransomware. The PYSA ransomware came into awareness earlier this year when the Federal Bureau of Investigation (FBI) reported on the ransomware’s increased activity and high damaging impact.
The threat actors behind PYSA deploy the ransomware as part of attack operations with high-stake targets, such as government authorities, educational institutions, and the healthcare sector. This Threat Analysis report focuses on the implementation of the PYSA ransomware and the ransomware’s internal working principles when deployed on a compromised system.
PYSA is a new variant of the Mespinoza ransomware that first came to prominence in October 2019 when it infected large corporate networks. The French national computer emergency response team (CERT) reported in April 2020 that the PYSA ransomware has also targeted French local authorities. This has significantly raised the profile of this ransomware in the threat landscape. In March 2021, the FBI issued an alert stating that they have observed an increase in the PYSA ransomware targeting education institutions in 12 US states and the United Kingdom.
The operators of the PYSA ransomware have specifically targeted higher education, K-12 schools, and seminaries. In addition, the FBI reports on PYSA ransomware attacks targeting US and foreign government entities, private companies, and the healthcare sector since March 2020. In June 2021, the BlackBerry Threat Research and Intelligence SPEAR Team reported that it had observed the actors behind the PYSA ransomware conducting fully developed attack operations and deploying the ransomware at selected target organizations.
PYSA is a human-operated ransomware that does not have self-propagation capabilities. Threat actors manually deploy the PYSA ransomware as part of full attack operations. The FBI reports that the PYSA ransomware operators typically gain initial access to target systems through phishing email messages or by compromising credentials, such as brute-forcing Active Directory domain credentials or Remote Desktop Protocol (RDP) credentials.
Prior to the deployment of the PYSA ransomware on a compromised system, the malicious actors use publicly available and/or open-source tools for credential theft, stealthiness, privilege escalation, lateral movement, and so on. For example, they use the Advanced Port Scanner and the Advanced IP Scanner tools developed by Famatech Corp, which are port scanning and information gathering tools that enable users to discover and gather information on services running on network computers.
In addition, the ransomware operators use the tools PowerShell Empire, Koadic, PsExec, and Mimikatz for credential theft and lateral movement. Before deploying the PYSA ransomware, the actors execute PowerShell scripts that stop or remove system security mechanisms, such as Windows Defender. They also delete system restore snapshots and shadow copies so that victims cannot restore data encrypted by the ransomware.
Furthermore, the FBI reports that malicious actors use the WinScp tool for data exfiltration from victim systems before the data is encrypted. Also, the actors behind the PYSA ransomware use a double extortion tactic - if the victim refuses to pay for data decryption, the malicious actor threatens to leak the data online or sell it for profit:
Screenshot of the PYSA data leaks website
The operators of the PYSA ransomware communicate with their victims only via email. They refer to victims as “partners” and they do not use mechanisms typical for the currently trending Ransomware-as-a-Service (RaaS) business model, such as a ticketing system for communication with victims or online decryption services.
The PYSA ransomware is implemented in the C++ programming language and uses the open-source CryptoPP C++ library for data encryption. The ransomware encrypts data by applying a hybrid encryption approach that combines the use of the Advanced Encryption Standard-Cipher Block Chaining (AES-CBC) and the Rivest, Shamir, Adleman (RSA) encryption algorithms. This is to maximize both encryption performance and security.
The files that are encrypted by PYSA have the .pysa filename extension. The name PYSA may be derived from the Protect your system amigo slogan or from the Zanzibari coin with the same name. The Protect your system amigo slogan can be found in the ransom note that is left by the ransomware on compromised systems.
This section discusses the implementation and the operation of the PYSA ransomware. The following chart provides a summarizing overview of the operation of PYSA:
Summarizing overview of the operation of the PYSA ransomware
The PYSA ransomware process first detaches itself from the console, which closes the console. This allows the ransomware to operate without the console being a visual indicator of the ransomware’s operation. The PYSA ransomware then creates a mutex object named Pysa. If this mutex object already exists, the ransomware terminates. This is to ensure that only one instance of the PYSA ransomware runs at a time:
Creation of a mutex object named Pysa
The PYSA ransomware then enumerates drives with a fixed media attached to the compromised system. These are drives for which the Windows API function GetDriveTypeW returns 0x3 (DRIVE_FIXED), such as hard disks. For each drive with a fixed media, the PYSA ransomware creates a process thread, in whose context the ransomware conducts file enumeration and encryption.
The PYSA ransomware does this in two phases. In the first phase, it encrypts files that are whitelisted for encryption, these are files that have one of the filename extensions that are hardcoded in the file that implements the ransomware. The following table lists the filename extensions of files that are whitelisted for encryption:
.doc .xls .docx .xlsx .db .db3 .frm .ib .mdf .mwb .myd .ndf .sdf .trc .wrk .001 .acr .bac .bak |
.backupdb .bck .bkf .bkup .bup .fbk .mig .spf .sql .vhdx .vfd .avhdx .vmcx .vmrs .pbf .qic .sqb .tis .vbk .vbm |
.vrb .win .pst .mdb .7z .zip .rar .cad .dsd .dwg .pla .pln |
Filename extensions of files that the PYSA ransomware encrypts in the first phase
In the second phase, PYSA encrypts the rest of the files stored on the drive and stores a README.README file in each directory on the drive. The README.README file contains the ransom note. The ransom note contains the following:
In both phases, the PYSA ransomware:
PYSA does not encrypt the aforementioned files because encrypting system-critical files and files that have filename extensions typical for executable files (.exe, .dll, and .sys) renders the compromised system unbootable and unusable. In addition, the PYSA ransomware creates files itself with the filename extensions .README and .pysa. The encryption of these files means encrypting the ransom note and encrypting files already encrypted by PYSA:
The ransom note left by the PYSA ransomware on compromised systems
Before encrypting a file, the PYSA ransomware first renames the file by appending the filename extension .pysa to the filename, for example, test.txt becomes test.txt.pysa. PYSA then encrypts the file by applying a hybrid encryption approach. This approach combines the use of the AES-CBC and the RSA encryption algorithms. This is to maximize both encryption performance and security.
The PYSA ransomware first encrypts a file with the symmetric encryption algorithm AES-CBC. AES-CBC is by design more performant but less secure than the RSA encryption algorithm. This algorithm relies on a symmetric encryption key and an initialization vector (IV) for encryption security. To compensate for this disadvantage of AES-CBC, the ransomware then encrypts the AES-CBC symmetric key and IV with the RSA encryption algorithm. The PYSA ransomware uses the CryptoPP C++ library for encryption.
For each file being encrypted, PYSA first generates two random arrays of 16 bytes. The first byte array is an AES-CBC symmetric encryption key and the second is an initialization vector (IV). PYSA then encrypts the AES-CBC key and the IV using a 4096-bit RSA public key. This public key is Abstract Syntax Notation One (ASN.1)-encoded and is stored in Distinguished Encoding Rules (DER) format in the file that implements the PYSA ransomware:
The public key that the PYSA ransomware uses to encrypt AES-CBC keys and IVs
The PYSA ransomware then uses the HexEncoder class of CryptoPP library to encode in strings the data segments that are the encrypted AES-CBC key and IV. This encoding represents the digits of the hexadecimal representation of the bytes of these data segments as uppercase American Standard Code for Information Interchange (ASCII) characters.
The RSA-encrypted form of the AES-CBC key and IV is 512 bytes big due to the 4096-bit RSA key used for encryption. Therefore, the encoding operation results in two strings of 1024 bytes:
The unencrypted and RSA-encrypted form of an AES-CBC key and IV
The PYSA ransomware then encrypts 100 equal-sized data blocks of the file being encrypted, starting from the beginning of the file. For encrypting the data blocks, the ransomware uses the AES-CBC encryption algorithm with the previously generated AES-CBC key and IV. The ransomware calculates the size of a single data block for encryption (in bytes) by calculating:
where ⌊⌋ is the floor function and filesize is the size of the file in bytes.
Since AES-CBC operates in a block cipher mode, the encrypted form of the data blocks is equal in size to the data blocks themselves. After encrypting a data block, the PYSA ransomware writes the encrypted form of the data block in the file, replacing the original data block. This encryption procedure normally results in some data at the end of the file being left unencrypted:
Unencrypted and encrypted form of a file data block (data block size: 7168 bytes)
The ransomware then appends to the end of the file the strings that store the encrypted forms of the AES-CBC key and IV. Since each of these strings is 1024 bytes big, the size of the file that PYSA has encrypted is greater by 2 KB than the size of the original, unencrypted file. The ransomware then proceeds to encrypt the next file designated for encryption:
The encrypted form of an AES-CBC key and IV, appended to the end of a file
After it encrypts all files designated for encryption, the PYSA ransomware stores the value PYSA in the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticecaption and the ransom note in the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticetext. This displays the ransom note to users at system start-up, which effectively brings the users’ attention to it.
The PYSA ransomware then releases the mutex Pysa and writes Windows batch script code into a file named update.bat. PYSA first places this file in the temporary directory of the user in whose context the ransomware executes (for example C:\Users\user\AppData\Local\Temp) and then executes it. update.bat deletes the file that implements the PYSA ransomware and the directory in which this file is stored. update.bat also deletes itself:
The content of update.bat
The Cybereason Defense Platform is able to detect and prevent the execution of the PYSA ransomware using multi-layer protection that detects and blocks ransomware with threat intelligence, machine learning and next-gen antivirus (NGAV) capabilities:
The Cybereason Defense Platform detects the PYSA ransomware based on threat intelligence
The Anti-Malware feature of the Cybereason Defense Platform detects and prevents the execution of the PYSA ransomware. Behavioral detection techniques in the platform are able to detect and prevent any attempt to encrypt files and automatically generates a MalOpTM for it:
The Anti-Malware feature of the Cybereason Defense Platform detects the PYSA ransomware
In this section, the Cybereason GSOC provides additional, proactive ways for detecting the presence of the PYSA ransomware in systems, and defending against this threat.
The following YARA rule is useful for detecting the presence of the PYSA ransomware in the context of running processes or in the filesystem:
rule Pysa_ransomware { meta: description = "YARA rule for identifying the Pysa ransomware." author = "Aleksandar Milenkoski" date = "2021-07" strings: $code = { 68 00 04 00 00 ?? ?? E8 7C BD 02 00 ?? ?? E8 A5 C2 02 00 ?? ?? ?? ?? ?? ?? ?? ?? DD ?? ?? ?? ?? ?? ?? ?? DD ?? ?? E8 5D 81 03 00 59 ?? E8 B6 BE 02 00 } $s1 = "CryptoPP" ascii wide $s2 = "pysa" ascii wide nocase fullword $s3 = "Protect Your System Amigo" ascii wide nocase condition: uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and $s2 and 2 of ($code,$s1,$s3) } |
YARA rule for identifying the PYSA ransomware
The PYSA ransomware creates a mutex object named Pysa. If this mutex object already exists and is therefore locked, the ransomware terminates without encrypting any data. This is to the advantage of defenders such that a mutex object named Pysa can be locked by a legitimate process on a given system with the intention to stop any potential future execution of the PYSA ransomware on the system.
The PowerShell script below demonstrates this defense technique. The script creates, opens, and therefore locks a mutex object named Pysa, and releases the object when the user issues the Ctrl+C command. Users can execute the script by issuing the command powershell.exe ./pysa_mutex_lock.ps1 in the directory where the script file is stored, where pysa_mutex_lock.ps1 is the filename of the script file:
function create_pysa_mutex { $created = $False $mutex = New-Object -TypeName System.Threading.Mutex($true, "Pysa", [ref]$created) Write-Host "Mutex object named Pysa created, opened, and locked: $created." return $mutex } function release_pysa_mutex { param ( $mutex ) $mutex.ReleaseMutex() $mutex.Dispose() } $mutex = create_pysa_mutex try { while($true) { Start-Sleep -Seconds 1 } } finally{ release_pysa_mutex($mutex) Write-Host "Mutex object released." } |
PowerShell script that locks a mutex object named Pysa
Cybereason is dedicated to teaming with defenders to end cyber attacks from endpoints to the enterprise to everywhere - including modern ransomware. Learn more about ransomware defense here or schedule a demo today to learn how your organization can benefit from an operation-centric approach to security.
Executables |
SHA-256 hash: 7FD3000A3AFBF077589C300F90B59864EC1FB716FEBA8E288ED87291C8FDF7C3 File size: 512512 bytes |
Associated files |
Readme.README %TEMP%\update.bat |
Mutex objects |
Pysa |
Email domains |
protonmail.com onionmail.org |
Registry keys |
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticecaption HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\legalnoticetext |
Execution |
Defense Evasion |
Discovery |
Impact |
Aleksandar Milenkoski is a Senior Threat and Malware Analyst with the Cybereason Global SOC team. He is involved primarily in reverse engineering and threat research activities. Aleksandar has a PhD in system security. Prior to Cybereason, his work focussed on research in intrusion detection and reverse engineering security mechanisms of the Windows 10 operating system.