{
	"id": "80cc67f6-c092-4a20-9f1f-d9604ece9e80",
	"created_at": "2026-04-06T01:30:37.542047Z",
	"updated_at": "2026-04-10T03:20:43.460458Z",
	"deleted_at": null,
	"sha1_hash": "b55bad92c73047b533155e20a79b5d1ee0c63e01",
	"title": "Cyble - Pysa Ransomware Under The Lens: A Deep-Dive Analysis",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1351421,
	"plain_text": "Cyble - Pysa Ransomware Under The Lens: A Deep-Dive Analysis\r\nBy cybleinc\r\nPublished: 2021-11-29 · Archived: 2026-04-06 01:14:58 UTC\r\nA human-operated ransomware, Pysa encrypts the victim files and drops ransom notes to instruct users on how to\r\nrecover the files.\r\nInitially observed in 2019, Pysa ransomware has actively targeted organizations in many countries. Once executed on\r\nthe victim machine, Pysa encrypts the victim files and drops ransom notes to instruct users on how to recover the\r\nfiles in exchange for the ransom amount. It is human-operated ransomware and does not have self-propagation\r\ncapability. Once the Threat Actor (TA) is done with the data exfiltration from the victim machine or organization,\r\nthey execute Pysa for the encryption. The Pysa ransomware group is also known for double extortion.\r\nPresently there are 190+ victims of the Pysa ransomware across the world, and the image below shows the Heat Map\r\nof countries impacted by the Pysa ransomware.\r\nFigure 1 Pysa Ransomware Heat Map\r\nThe top 5 Countries affected by Pysa are the US, UK, Canada, Spain, and Brazil.  Pysa has impacted industries like\r\nEducation, Utilities, Transportation, Construction, Healthcare, and Business Services, etc. The Pysa ransomware\r\ngroup operates from the dark web site pysa2bitc5ldeyfak4seeruqymqs4sj5wt5qkcq7aoyg4h2acqieywad[.]onion, as\r\nshown below.\r\nSee Cyble in Action\r\nWorld's Best AI-Native Threat Intelligence\r\nhttps://blog.cyble.com/2021/11/29/pysa-ransomware-under-the-lens-a-deep-dive-analysis/\r\nPage 1 of 11\n\nFigure 2 TOR Website of Pysa Ransomware group\r\nThe image below shows the high-level execution diagram of the Pysa ransomware. Initially, the ransomware creates a\r\nmutex with the name of Pysa, and later it enumerates drives in the victim’s system. Additionally, it goes through files\r\nand directories to search for targeted files having specific extensions that are hardcoded in the malware. Once found,\r\nthe ransomware appends the ‘.pysa’ extension to the victim files and encrypts the content as a priority, followed by\r\nthe encryption of the rest of the files. Later it carries out the registry modification and finally creates a file called\r\nupdate.bat for self-deletion.\r\nhttps://blog.cyble.com/2021/11/29/pysa-ransomware-under-the-lens-a-deep-dive-analysis/\r\nPage 2 of 11\n\nFigure 3 High-level Execution Flow of Pysa Ransomware\r\nIn this report, Cyble Research Labs has covered the deep-dive analysis of the Pysa ransomware to understand the\r\nbehaviour and infection mechanism.\r\nTechnical Analysis\r\nThe Static properties of Pysa ransomware tell us that the ransomware is an x86 Windows Portable Executable (PE)\r\nwritten in the C/C++ language and compiled on 2021-10-11 10:21:04, as shown below.\r\nhttps://blog.cyble.com/2021/11/29/pysa-ransomware-under-the-lens-a-deep-dive-analysis/\r\nPage 3 of 11\n\nFigure 4 Static Information of Pysa\r\nUpon execution of the ransomware, it creates a process tree, as shown below.\r\nFigure 5 Process Tree\r\nAfter successful execution, the malware infects the victim’s files and appends the extension, ‘.pysa’, as shown below.\r\nFigure 6 Ransomware appends .pysa extension\r\nThe image below showcases the content of the ransom note in which the TA instructs victims to pay the ransom\r\namount. In case the victim fails to pay the demanded ransom, the TA threatens to upload the data on their leake\r\nwebsite or sell it to cybercriminals in the darknet.\r\nhttps://blog.cyble.com/2021/11/29/pysa-ransomware-under-the-lens-a-deep-dive-analysis/\r\nPage 4 of 11\n\nFigure 7 Ransom Note Created by P\r\nCode Analysis\r\nAs shown in the below code, the ransomware first creates a mutex with the name “pysa”. The mutex has been\r\ndesigned to ensure that only one instance of the ransomware is running in the victim system at a time.\r\nFigure 8 Code for creating Mutex\r\nLater, the ransomware enumerates the victim’s drives using the Application Program Interface (API)\r\nGetLogicalDriveStringsW and uses the GetDriveTypeW API to ensure that the drive is a fixed drive (0x03), such as a\r\nhard disk.\r\nhttps://blog.cyble.com/2021/11/29/pysa-ransomware-under-the-lens-a-deep-dive-analysis/\r\nPage 5 of 11\n\nFigure 9 Enumerates Drives and Checks if the Drive is a Fixed drive\r\nOnce the list of drives is found, the ransomware creates a Thread using the CreateThread API and passes the Drive\r\nletter as a parameter for the infection, as shown below.    \r\nFigure 10 Creates Thread for Infection\r\nEach directory that is found by the ransomware is compared with the list below, as the ransomware does not infect\r\nfiles present in the directory list shown below.\r\nFigure 11 Whitelisted Directories\r\nhttps://blog.cyble.com/2021/11/29/pysa-ransomware-under-the-lens-a-deep-dive-analysis/\r\nPage 6 of 11\n\nOnce the malware has found the files present in the victim machine, the ransomware compares the files extension\r\nwith the list below.\r\n.doc .myd .bkf .pbf .zip\r\n.xls .ndf .bkup .qic .rar\r\n.docx .sdf .bup .sqb .cad\r\n.xlsx .trc .fbk .tis .dsd\r\n.pdf .wrk .mig .vbk .dwg\r\n.db .001 .spf .vbm .pla\r\n.db3 .acr .vhdx .vrb .pln\r\n.frm .bac .vfd .win  \r\n.ib .bak .avhdx .pst  \r\n.mdf .backupdb .vmcx .mdb  \r\n.mwb .bck .vmrs .7z  \r\nTable 1 Targeted File Extension\r\nOnce the victim’s file extension matches with the above list, the ransomware Call MoveFileW API to append the\r\n.pysa extension as shown in the below figure.\r\nFigure 12 Appends .pysa Extension\r\nAs shown in the below code, the ransomware reads the content from the files.\r\nFigure 13 Reads Plain Text Content\r\nOnce the plain text content has been read, it encrypts it using Advanced Encryption Standard (AES) 256 and then\r\nwrites the encrypted content into the file.\r\nhttps://blog.cyble.com/2021/11/29/pysa-ransomware-under-the-lens-a-deep-dive-analysis/\r\nPage 7 of 11\n\nFigure 14 Write Encrypted Content into the File\r\nOnce the above process is done, the ransomware creates ransom notes and encrypts the remaining files in the victim\r\nmachine.\r\nFurthermore, the Pysa ransomware creates two registry keys under\r\nHKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System, with the name legalnoticetext having value\r\nas Ransom note content and legalnoticecaption having values as PYSA, as shown in the below code.\r\nFigure 15 Create registry entry legalnoticetext and legalnoticecaption\r\nRansomware created entry legalnoticetext and inserted content ransom note.\r\nFigure 16 Creates registry legalnoticetext\r\nAnother entry is created with the name of legalnoticetext and having content PYSA.\r\nhttps://blog.cyble.com/2021/11/29/pysa-ransomware-under-the-lens-a-deep-dive-analysis/\r\nPage 8 of 11\n\nFigure 17 Creates registry legalnoticecaption\r\nFinally, the ransomware releases the mutex and a update.bat file under the Temp folder of the currently logged-in\r\nuser containing the content below.\r\n:Repeat\r\ndel “C:\\\\Users\\\\MalWorkstation\\\\Desktop\\\\Evil2.exe”\r\nif exist “C:\\\\Users\\\\MalWorkstation\\\\Desktop\\\\Evil2.exe” goto Repeat\r\nrmdir “C:\\\\Users\\\\MalWorkstation\\\\Desktop”\r\ndel “C:\\\\Users\\\\MALWOR~1\\\\AppData\\\\Local\\\\Temp\\\\update.bat””\r\nTable 2 Content of update.bat\r\nUsing the above code, the malware performs the self-Delete operation to delete its traces.\r\nConclusion\r\nThe Pysa ransomware has multiple victims around the world, and the initial execution is manual after the TA\r\nexfiltrates the data from the victim’s machine. The Pysa ransomware is one of the many ransomware presented on the\r\nsurface web that can encrypt user files using a strong encryption algorithm and leave ransom notes for instructing\r\nusers on how to recover the files.\r\nCyble Research Labs is continuously monitoring Pysa’s activities, and we keep informing our clients with recent\r\nupdates about this campaign.\r\nOur Recommendations\r\nWe have listed some essential cybersecurity best practices that create the first line of control against attackers. We\r\nrecommend that our readers follow the suggestions given below:\r\nUse strong passwords and enforce multi-factor authentication wherever possible.\r\nTurn on the automatic software update feature on your computer, mobile, and other connected devices\r\nwherever possible and pragmatic. \r\nUse a reputed anti-virus and Internet security software package on your connected devices, including PC,\r\nlaptop, and mobile.   \r\nRefrain from opening untrusted links and email attachments without verifying their authenticity.\r\nConduct regular backup practices and keep those backups offline or in a separate network.\r\nhttps://blog.cyble.com/2021/11/29/pysa-ransomware-under-the-lens-a-deep-dive-analysis/\r\nPage 9 of 11\n\nMITRE ATT\u0026CK® Techniques\r\nTactic Technique ID Technique Name\r\nInitial access T1566 Phishing\r\nExecution T1204 User Execution\r\nDiscovery T1082 System Information Discovery\r\nDefense Evasion T1112 Modify Registry\r\nImpact\r\nT1490\r\nT1489\r\nT1486\r\nInhibit System Recovery\r\nService Stop\r\nData Encrypted for Impact\r\nIndicators of Compromise (IoCs):\r\nIndicators\r\nIndicator\r\ntype\r\nDescription\r\n7c774062bc55e2d0e869d5d69820aa6e3b759454dbc926475b4db6f7f2b6cb14 SHA-256\r\nPysa\r\nRansomware\r\npysa2bitc5ldeyfak4seeruqymqs4sj5wt5qkcq7aoyg4h2acqieywad[.]onion\r\nTOR-URL\r\nTAs Website\r\nkardalkareefhaddad@onionmail.org Email TAs Email\r\nGeneric signatures and Rules:\r\nYara Rules:\r\nrule win32_pysaransomware\r\n{\r\nmeta:\r\nauthor= \"Cyble Research\"\r\ndate= \"2021-11-25\"\r\ndescription= \"Coverage for Pysa Ransomware\"\r\nhash= \"7c774062bc55e2d0e869d5d69820aa6e3b759454dbc926475b4db6f7f2b6cb14\"\r\nstrings:\r\n$header= \"MZ\"\r\n$sig1 = \"Readme.README\" wide ascii\r\n$sig2 = \"n.pysa\" wide ascii\r\n$sig3 = \"pysa2bitc5ldeyfak4seeruqymqs4sj5wt5qkcq7aoyg4h2acqieywad.onion\" wide ascii\r\n$sig4 = \"kardalkareefhaddad@onionmail.org\" wide ascii\r\n$sig5 = \"Every byte on any types of your devices was encrypted.\" wide ascii\r\nhttps://blog.cyble.com/2021/11/29/pysa-ransomware-under-the-lens-a-deep-dive-analysis/\r\nPage 10 of 11\n\n$sig6 = \"To get all your data back contact us\" wide ascii\r\ncondition:\r\n$header at 0 and (4 of ($sig*))\r\n}\r\nSource: https://blog.cyble.com/2021/11/29/pysa-ransomware-under-the-lens-a-deep-dive-analysis/\r\nhttps://blog.cyble.com/2021/11/29/pysa-ransomware-under-the-lens-a-deep-dive-analysis/\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.cyble.com/2021/11/29/pysa-ransomware-under-the-lens-a-deep-dive-analysis/"
	],
	"report_names": [
		"pysa-ransomware-under-the-lens-a-deep-dive-analysis"
	],
	"threat_actors": [],
	"ts_created_at": 1775439037,
	"ts_updated_at": 1775791243,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b55bad92c73047b533155e20a79b5d1ee0c63e01.pdf",
		"text": "https://archive.orkl.eu/b55bad92c73047b533155e20a79b5d1ee0c63e01.txt",
		"img": "https://archive.orkl.eu/b55bad92c73047b533155e20a79b5d1ee0c63e01.jpg"
	}
}