{
	"id": "38909141-8292-4128-9824-47d8de9e7abc",
	"created_at": "2026-04-06T01:29:58.51979Z",
	"updated_at": "2026-04-10T03:20:59.326937Z",
	"deleted_at": null,
	"sha1_hash": "031dc521976f00b6b6073e0873bc29edce24d64d",
	"title": "Threat Analysis Report: Inside the Destructive PYSA Ransomware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1348431,
	"plain_text": "Threat Analysis Report: Inside the Destructive PYSA Ransomware\r\nBy Cybereason Global SOC Team\r\nArchived: 2026-04-06 00:31:27 UTC\r\nThe Cybereason Global Security Operations Center (GSOC) issues Cybereason Threat Analysis reports to inform on\r\nimpacting threats. The Threat Analysis reports investigate these threats and provide practical recommendations for\r\nprotecting against them.\r\nIn this Threat Analysis Report, the GSOC investigates the PYSA ransomware. The PYSA ransomware came into awareness\r\nearlier this year when the Federal Bureau of Investigation (FBI) reported on the ransomware’s increased activity and high\r\ndamaging impact. \r\nThe threat actors behind PYSA deploy the ransomware as part of attack operations with high-stake targets, such as\r\ngovernment authorities, educational institutions, and the healthcare sector. This Threat Analysis report focuses on the\r\nimplementation of the PYSA ransomware and the ransomware’s internal working principles when deployed on a\r\ncompromised system. \r\nWhat is PYSA Ransomware?\r\nHuman-Operated: PYSA is a human-operated ransomware that does not have self-propagation capabilities.\r\nThreat actors manually deploy the PYSA ransomware as part of full attack operations. The PYSA ransomware\r\noperators typically gain initial access to target systems by compromising credentials or through phishing\r\nemails. Prior to the deployment of the ransomware, the malicious actors use publicly available and/or open-source tools for credential theft, stealthiness, privilege escalation, lateral movement, and more.\r\nHybrid Encryption Approach: The PYSA ransomware is implemented in the C++ programming language\r\nand uses the open-source CryptoPP C++ library for data encryption. The ransomware encrypts data by\r\ncombining the use of the Advanced Encryption Standard-Cipher Block Chaining (AES-CBC) and the Rivest,\r\nShamir, Adleman (RSA) encryption algorithms. This is to maximize both encryption performance and\r\nsecurity. \r\nDouble Extortion: The PYSA ransomware operators use a double extortion tactic - if the victim refuses to\r\npay for data decryption, the malicious actor threatens to leak the data or sell it for profit. \r\nDetected and Prevented: The Cybereason Defense Platform effectively detects and prevents the PYSA\r\nransomware.\r\nCybereason Managed Detection and Response (MDR): The Cybereason GSOC has zero tolerance towards\r\nattacks that involve ransomware, such as PYSA, and categorizes such attacks as critical, high-severity\r\nincidents. The Cybereason GSOC MDR team issues a comprehensive report to customers when such an\r\nincident occurs. The report provides an in-depth overview of the incident, which helps to scope the extent of\r\ncompromise and the impact on the customer’s environment. In addition, the report provides attribution\r\ninformation when possible as well as recommendations for mitigating and isolating the threat.\r\nIntroduction\r\nPYSA is a new variant of the Mespinoza ransomware that first came to prominence in October 2019 when it infected large\r\ncorporate networks. The French national computer emergency response team (CERT) reported in April 2020 that the PYSA\r\nransomware has also targeted French local authorities. This has significantly raised the profile of this ransomware in the\r\nhttps://www.cybereason.com/blog/threat-analysis-report-inside-the-destructive-pysa-ransomware\r\nPage 1 of 15\n\nthreat landscape. In March 2021, the FBI issued an alert stating that they have observed an increase in the PYSA\r\nransomware targeting education institutions in 12 US states and the United Kingdom.\r\nThe operators of the PYSA ransomware have specifically targeted higher education, K-12 schools, and seminaries. In\r\naddition, the FBI reports on PYSA ransomware attacks targeting US and foreign government entities, private companies,\r\nand the healthcare sector since March 2020. In June 2021, the BlackBerry Threat Research and Intelligence SPEAR Team\r\nreported that it had observed the actors behind the PYSA ransomware conducting fully developed attack operations and\r\ndeploying the ransomware at selected target organizations.\r\nPYSA is a human-operated ransomware that does not have self-propagation capabilities. Threat actors manually deploy the\r\nPYSA ransomware as part of full attack operations. The FBI reports that the PYSA ransomware operators typically gain\r\ninitial access to target systems through phishing email messages or by compromising credentials, such as brute-forcing\r\nActive Directory domain credentials or Remote Desktop Protocol (RDP) credentials. \r\nPrior to the deployment of the PYSA ransomware on a compromised system, the malicious actors use publicly available\r\nand/or open-source tools for credential theft, stealthiness, privilege escalation, lateral movement, and so on. For example,\r\nthey use the Advanced Port Scanner and the Advanced IP Scanner tools developed by Famatech Corp, which are port\r\nscanning and information gathering tools that enable users to discover and gather information on services running on\r\nnetwork computers.\r\nIn addition, the ransomware operators use the tools PowerShell Empire, Koadic, PsExec, and Mimikatz for credential theft\r\nand lateral movement. Before deploying the PYSA ransomware, the actors execute PowerShell scripts that stop or remove\r\nsystem security mechanisms, such as Windows Defender. They also delete system restore snapshots and shadow copies so\r\nthat victims cannot restore data encrypted by the ransomware.\r\nFurthermore, the FBI reports that malicious actors use the WinScp tool for data exfiltration from victim systems before the\r\ndata is encrypted. Also, the actors behind the PYSA ransomware use a double extortion tactic - if the victim refuses to pay\r\nfor data decryption, the malicious actor threatens to leak the data online or sell it for profit:\r\nhttps://www.cybereason.com/blog/threat-analysis-report-inside-the-destructive-pysa-ransomware\r\nPage 2 of 15\n\nhttps://www.cybereason.com/blog/threat-analysis-report-inside-the-destructive-pysa-ransomware\r\nPage 3 of 15\n\nScreenshot of the PYSA data leaks website\r\nThe operators of the PYSA ransomware communicate with their victims only via email. They refer to victims as “partners”\r\nand they do not use mechanisms typical for the currently trending Ransomware-as-a-Service (RaaS) business model, such as\r\na ticketing system for communication with victims or online decryption services.\r\nThe PYSA ransomware is implemented in the C++ programming language and uses the open-source CryptoPP C++ library\r\nfor data encryption. The ransomware encrypts data by applying a hybrid encryption approach that combines the use of the\r\nAdvanced Encryption Standard-Cipher Block Chaining (AES-CBC) and the Rivest, Shamir, Adleman (RSA) encryption\r\nalgorithms. This is to maximize both encryption performance and security.\r\nThe files that are encrypted by PYSA have the .pysa filename extension. The name PYSA may be derived from the Protect\r\nyour system amigo slogan or from the Zanzibari coin with the same name. The Protect your system amigo slogan can be\r\nfound in the ransom note that is left by the ransomware on compromised systems.\r\nPysa Ransomware Analysis\r\nThis section discusses the implementation and the operation of the PYSA ransomware. The following chart provides a\r\nsummarizing overview of the operation of PYSA:\r\nhttps://www.cybereason.com/blog/threat-analysis-report-inside-the-destructive-pysa-ransomware\r\nPage 4 of 15\n\nSummarizing overview of the operation of the PYSA ransomware\r\nThe PYSA ransomware process first detaches itself from the console, which closes the console. This allows the ransomware\r\nto operate without the console being a visual indicator of the ransomware’s operation. The PYSA ransomware then creates a\r\nmutex object named Pysa. If this mutex object already exists, the ransomware terminates. This is to ensure that only one\r\ninstance of the PYSA ransomware runs at a time:\r\nhttps://www.cybereason.com/blog/threat-analysis-report-inside-the-destructive-pysa-ransomware\r\nPage 5 of 15\n\nCreation of a mutex object named Pysa\r\nThe PYSA ransomware then enumerates drives with a fixed media attached to the compromised system. These are drives for\r\nwhich the Windows API function GetDriveTypeW returns 0x3 (DRIVE_FIXED), such as hard disks. For each drive with a\r\nfixed media, the PYSA ransomware creates a process thread, in whose context the ransomware conducts file enumeration\r\nand encryption.\r\nThe PYSA ransomware does this in two phases. In the first phase, it encrypts files that are whitelisted for encryption, these\r\nare files that have one of the filename extensions that are hardcoded in the file that implements the ransomware. The\r\nfollowing table lists the filename extensions of files that are whitelisted for encryption:\r\n.doc\r\n.xls\r\n.docx\r\n.xlsx\r\n.pdf\r\n.db\r\n.db3\r\n.frm\r\n.ib\r\n.mdf\r\n.mwb\r\n.myd\r\n.ndf\r\n.sdf\r\n.trc\r\n.wrk\r\n.001\r\n.acr\r\n.bac\r\n.bak\r\n.backupdb\r\n.bck\r\n.bkf\r\n.bkup\r\n.bup\r\n.fbk\r\n.mig\r\n.spf\r\n.sql\r\n.vhdx\r\n.vfd\r\n.avhdx\r\n.vmcx\r\n.vmrs\r\n.pbf\r\n.qic\r\n.sqb\r\n.tis\r\n.vbk\r\n.vbm\r\n.vrb\r\n.win\r\n.pst\r\n.mdb\r\n.7z\r\n.zip\r\n.rar\r\n.cad\r\n.dsd\r\n.dwg\r\n.pla\r\n.pln\r\nFilename extensions of files that the PYSA ransomware encrypts in the first phase\r\nhttps://www.cybereason.com/blog/threat-analysis-report-inside-the-destructive-pysa-ransomware\r\nPage 6 of 15\n\nIn the second phase, PYSA encrypts the rest of the files stored on the drive and stores a README.README file in each\r\ndirectory on the drive. The README.README file contains the ransom note. The ransom note contains the following:\r\nThe Protect your system amigo slogan, which the name PYSA may be derived from.\r\nText informing the victims that the malicious actors have exfiltrated data from the compromised system and\r\nthat they will expose this data to the public, or sell the data, if payment is not made. This is a double extortion\r\ntactic. \r\nA link to a data leaks website.\r\nA list of email addresses for communication with the attackers. \r\nIn both phases, the PYSA ransomware:\r\nEncrypts only files that are bigger than 1 KB in size.\r\nDoes not encrypt files that are blacklisted for encryption. These are: \r\nsystem-critical files, such as pagefile.sys, the Windows boot manager and files stored in system-critical\r\ndirectories, for example, Windows, Boot, and System Volume Information; \r\nfiles that have one of the following filename extensions: .exe, .dll, .search-ms, .sys, .README, or\r\n.pysa. \r\nPYSA does not encrypt the aforementioned files because encrypting system-critical files and files that have filename\r\nextensions typical for executable files (.exe, .dll, and .sys) renders the compromised system unbootable and unusable. In\r\naddition, the PYSA ransomware creates files itself with the filename extensions .README and .pysa. The encryption of\r\nthese files means encrypting the ransom note and encrypting files already encrypted by PYSA:\r\nThe ransom note left by the PYSA ransomware on compromised systems\r\nhttps://www.cybereason.com/blog/threat-analysis-report-inside-the-destructive-pysa-ransomware\r\nPage 7 of 15\n\nBefore encrypting a file, the PYSA ransomware first renames the file by appending the filename extension .pysa to the\r\nfilename, for example, test.txt becomes test.txt.pysa. PYSA then encrypts the file by applying a hybrid encryption approach.\r\nThis approach combines the use of the AES-CBC and the RSA encryption algorithms. This is to maximize both encryption\r\nperformance and security.\r\nThe PYSA ransomware first encrypts a file with the symmetric encryption algorithm AES-CBC. AES-CBC is by design\r\nmore performant but less secure than the RSA encryption algorithm. This algorithm relies on a symmetric encryption key\r\nand an initialization vector (IV) for encryption security. To compensate for this disadvantage of AES-CBC, the ransomware\r\nthen encrypts the AES-CBC symmetric key and IV with the RSA encryption algorithm. The PYSA ransomware uses the\r\nCryptoPP C++ library for encryption. \r\nFor each file being encrypted, PYSA first generates two random arrays of 16 bytes. The first byte array is an AES-CBC\r\nsymmetric encryption key and the second is an initialization vector (IV). PYSA then encrypts the AES-CBC key and the IV\r\nusing a 4096-bit RSA public key. This public key is Abstract Syntax Notation One (ASN.1)-encoded and is stored in\r\nDistinguished Encoding Rules (DER) format in the file that implements the PYSA ransomware:\r\nThe public key that the PYSA ransomware uses to encrypt AES-CBC keys and IVs\r\nThe PYSA ransomware then uses the HexEncoder class of CryptoPP library to encode in strings the data segments that are\r\nthe encrypted AES-CBC key and IV. This encoding represents the digits of the hexadecimal representation of the bytes of\r\nthese data segments as uppercase American Standard Code for Information Interchange (ASCII) characters.\r\nThe RSA-encrypted form of the AES-CBC key and IV is 512 bytes big due to the 4096-bit RSA key used for encryption.\r\nTherefore, the encoding operation results in two strings of 1024 bytes:\r\nhttps://www.cybereason.com/blog/threat-analysis-report-inside-the-destructive-pysa-ransomware\r\nPage 8 of 15\n\nThe unencrypted and RSA-encrypted form of an AES-CBC key and IV\r\nThe PYSA ransomware then encrypts 100 equal-sized data blocks of the file being encrypted, starting from the beginning of\r\nthe file. For encrypting the data blocks, the ransomware uses the AES-CBC encryption algorithm with the previously\r\ngenerated AES-CBC key and IV. The ransomware calculates the size of a single data block for encryption (in bytes) by\r\ncalculating:\r\nwhere ⌊⌋ is the floor function and filesize is the size of the file in bytes.\r\nSince AES-CBC operates in a block cipher mode, the encrypted form of the data blocks is equal in size to the data blocks\r\nthemselves. After encrypting a data block, the PYSA ransomware writes the encrypted form of the data block in the file,\r\nreplacing the original data block. This encryption procedure normally results in some data at the end of the file being left\r\nunencrypted:\r\nhttps://www.cybereason.com/blog/threat-analysis-report-inside-the-destructive-pysa-ransomware\r\nPage 9 of 15\n\nUnencrypted and encrypted form of a file data block (data block size: 7168 bytes)\r\nThe ransomware then appends to the end of the file the strings that store the encrypted forms of the AES-CBC key and IV.\r\nSince each of these strings is 1024 bytes big, the size of the file that PYSA has encrypted is greater by 2 KB than the size of\r\nthe original, unencrypted file. The ransomware then proceeds to encrypt the next file designated for encryption:\r\nThe encrypted form of an AES-CBC key and IV, appended to the end of a file\r\nAfter it encrypts all files designated for encryption, the PYSA ransomware stores the value PYSA in the registry key\r\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\legalnoticecaption and the\r\nransom note in the registry key\r\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\legalnoticetext. This displays\r\nthe ransom note to users at system start-up, which effectively brings the users’ attention to it.\r\nThe PYSA ransomware then releases the mutex Pysa and writes Windows batch script code into a file named update.bat.\r\nPYSA first places this file in the temporary directory of the user in whose context the ransomware executes (for example\r\nC:\\Users\\user\\AppData\\Local\\Temp) and then executes it. update.bat deletes the file that implements the PYSA ransomware\r\nand the directory in which this file is stored. update.bat also deletes itself:\r\nhttps://www.cybereason.com/blog/threat-analysis-report-inside-the-destructive-pysa-ransomware\r\nPage 10 of 15\n\nThe content of update.bat\r\nDetection and Prevention\r\nCybereason Prevents PYSA Ransomware\r\nThe Cybereason Defense Platform is able to detect and prevent the execution of the PYSA ransomware using multi-layer\r\nprotection that detects and blocks ransomware with threat intelligence, machine learning and next-gen antivirus (NGAV)\r\ncapabilities:\r\nThe Cybereason Defense Platform detects the PYSA ransomware based on threat intelligence\r\nThe Anti-Malware feature of the Cybereason Defense Platform detects and prevents the execution of the PYSA ransomware.\r\nBehavioral detection techniques in the platform are able to detect and prevent any attempt to encrypt files and automatically\r\ngenerates a MalOpTM for it:\r\nThe Anti-Malware feature of the Cybereason Defense Platform detects the PYSA ransomware\r\nCybereason GSOC MDR\r\nIn this section, the Cybereason GSOC provides additional, proactive ways for detecting the presence of the PYSA\r\nransomware in systems, and defending against this threat.\r\nYARA-Based Detection\r\nThe following YARA rule is useful for detecting the presence of the PYSA ransomware in the context of running processes\r\nor in the filesystem: \r\nrule Pysa_ransomware\r\n{\r\nmeta:\r\nhttps://www.cybereason.com/blog/threat-analysis-report-inside-the-destructive-pysa-ransomware\r\nPage 11 of 15\n\ndescription = \"YARA rule for identifying the Pysa ransomware.\"\r\n    author = \"Aleksandar Milenkoski\"\r\n    date = \"2021-07\"\r\nstrings:\r\n    $code = { 68 00 04 00 00 ?? ?? E8 7C BD 02 00 ?? ?? E8 A5 C2 02 00 ?? ?? ?? ?? ?? ?? ?? ?? \r\n    DD ?? ?? ?? ?? ?? ?? ?? DD ?? ?? E8 5D 81 03 00 59 ?? E8 B6 BE 02 00 }\r\n    $s1 = \"CryptoPP\" ascii wide  \r\n    $s2 = \"pysa\" ascii wide nocase fullword\r\n    $s3 = \"Protect Your System Amigo\" ascii wide nocase\r\ncondition:\r\n    uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and $s2 and 2 of ($code,$s1,$s3)\r\n}\r\nYARA rule for identifying the PYSA ransomware\r\nMutex Object Locking\r\nThe PYSA ransomware creates a mutex object named Pysa. If this mutex object already exists and is therefore locked, the\r\nransomware terminates without encrypting any data. This is to the advantage of defenders such that a mutex object named\r\nPysa can be locked by a legitimate process on a given system with the intention to stop any potential future execution of the\r\nPYSA ransomware on the system.\r\nThe PowerShell script below demonstrates this defense technique. The script creates, opens, and therefore locks a mutex\r\nobject named Pysa, and releases the object when the user issues the Ctrl+C command. Users can execute the script by\r\nissuing the command powershell.exe ./pysa_mutex_lock.ps1 in the directory where the script file is stored, where\r\npysa_mutex_lock.ps1 is the filename of the script file:\r\nfunction create_pysa_mutex\r\n{\r\n    $created = $False\r\n    $mutex = New-Object -TypeName System.Threading.Mutex($true, \"Pysa\", [ref]$created)\r\n    Write-Host \"Mutex object named Pysa created, opened, and locked: $created.\"\r\n    return $mutex\r\n}\r\nfunction release_pysa_mutex\r\n{\r\n    param (\r\nhttps://www.cybereason.com/blog/threat-analysis-report-inside-the-destructive-pysa-ransomware\r\nPage 12 of 15\n\n$mutex\r\n    )\r\n    $mutex.ReleaseMutex()\r\n    $mutex.Dispose()\r\n}\r\n$mutex = create_pysa_mutex\r\ntry\r\n{\r\n    while($true)\r\n    {\r\n        Start-Sleep -Seconds 1\r\n    }\r\n}\r\nfinally{\r\n    release_pysa_mutex($mutex)\r\n    Write-Host \"Mutex object released.\"\r\n}\r\nPowerShell script that locks a mutex object named Pysa\r\nGeneral Recommendations\r\nEnable the Anti-Ransomware feature on the Cybereason NGAV and set the Anti-Ransomware protection mode\r\nto Prevent.\r\nEnable the Anti-Malware feature on the Cybereason NGAV and enable the Detect and Prevent modes of this\r\nfeature.\r\nMake sure your systems are timely patched in order to minimize the risk of ransomware infections by\r\nvulnerability exploitation.\r\nUse secure passwords, regularly rotate passwords, and use multi-factor authentication where possible.\r\nDisable unused RDP services, properly secure used RDP services, and regularly monitor RDP log data for\r\nbruteforce attempts and other irregular activities. \r\nRegularly backup files to a secured remote location and implement a data recovery plan. Regular data backups\r\nensure that you can restore your data after a ransomware attack. \r\nSecurely handle email messages that originate from external sources. This includes disabling hyperlinks and\r\ninvestigating the content of email messages to identify phishing attempts.  \r\nCybereason is dedicated to teaming with defenders to end cyber attacks from endpoints to the enterprise to everywhere -\r\nincluding modern ransomware. Learn more about ransomware defense here or schedule a demo today to learn how your\r\nhttps://www.cybereason.com/blog/threat-analysis-report-inside-the-destructive-pysa-ransomware\r\nPage 13 of 15\n\norganization can benefit from an operation-centric approach to security.\r\nIndicators of Compromise\r\nExecutables\r\nSHA-256 hash: 7FD3000A3AFBF077589C300F90B59864EC1FB716FEBA8E288ED87291C8FDF7C3\r\nFile size: 512512 bytes\r\nAssociated\r\nfiles\r\nReadme.README\r\n%TEMP%\\update.bat\r\nMutex\r\nobjects\r\nPysa\r\nEmail\r\ndomains\r\nprotonmail.com\r\nonionmail.org\r\nRegistry\r\nkeys\r\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\legalnoticecaption\r\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\legalnoticetext\r\nMITRE ATT\u0026CK Techniques\r\nExecution Defense Evasion Discovery Impact\r\nNative API Indicator Removal on Host: File Deletion File and Directory Discovery Data Encrypted for Impact\r\n  Modify Registry    \r\nAbout the Researcher:\r\nAleksandar Milenkoski, Senior Threat and Malware Analyst, Cybereason Global SOC\r\nhttps://www.cybereason.com/blog/threat-analysis-report-inside-the-destructive-pysa-ransomware\r\nPage 14 of 15\n\nAleksandar Milenkoski is a Senior Threat and Malware Analyst with the Cybereason Global SOC team. He is involved\r\nprimarily in reverse engineering and threat research activities. Aleksandar has a PhD in system security. Prior to Cybereason,\r\nhis work focussed on research in intrusion detection and reverse engineering security mechanisms of the Windows 10\r\noperating system.\r\nAbout the Author\r\nCybereason Global SOC Team\r\nThe Cybereason Global SOC Team delivers 24/7 Managed Detection and Response services to customers on every\r\ncontinent. Led by cybersecurity experts with experience working for government, the military and multiple industry\r\nverticals, the Cybereason Global SOC Team continuously hunts for the most sophisticated and pervasive threats to support\r\nour mission to end cyberattacks on the endpoint, across the enterprise, and everywhere the battle moves.\r\nAll Posts by Cybereason Global SOC Team\r\nSource: https://www.cybereason.com/blog/threat-analysis-report-inside-the-destructive-pysa-ransomware\r\nhttps://www.cybereason.com/blog/threat-analysis-report-inside-the-destructive-pysa-ransomware\r\nPage 15 of 15",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.cybereason.com/blog/threat-analysis-report-inside-the-destructive-pysa-ransomware"
	],
	"report_names": [
		"threat-analysis-report-inside-the-destructive-pysa-ransomware"
	],
	"threat_actors": [],
	"ts_created_at": 1775438998,
	"ts_updated_at": 1775791259,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/031dc521976f00b6b6073e0873bc29edce24d64d.pdf",
		"text": "https://archive.orkl.eu/031dc521976f00b6b6073e0873bc29edce24d64d.txt",
		"img": "https://archive.orkl.eu/031dc521976f00b6b6073e0873bc29edce24d64d.jpg"
	}
}