Pysa Ransomware | Intel 471 Skip to content

Pysa Ransomware

Mar 24, 2021
Homepage Hero

PYSA OVERVIEW

The Pysa Ransomware is a popular Ransomware-as-a-Service (RaaS) that has been observed operating since at least mid-2019. The name "Pysa" is possibly derived from the Zanzibari coin of the same name. The actors have also claimed the name to be an acronym for "Protect Your System Amigo."

ACTORS

It should be noted that the actors that use the Pysa RaaS also frequently engage in doxware operations where they exfiltrate data pre-encryption and threaten to disclose it on their leak site should the ransom not be paid.

OBSERVABLES

Hi Company,

Every byte on any types of your devices was encrypted.
Don't try to use backups because it were encrypted too.

To get all your data back contact us:
[email protected]
[email protected]
--------------

FAQ:

1.
 Q: How can I make sure you don't fooling me?
 A: You can send us 2 files(max 2mb).

2.
 Q: What to do to get all data back?
 A: Don't restart the computer, don't move files and write us.

3.
 Q: What to tell my boss?
 A: Protect Your System Amigo.

Ref: https://dissectingmalwa.re/another-one-for-the-collection-mespinoza-pysa-ransomware.html