Pysa ransomware infiltrates your network to steal your data and hold it ransom by encrypting
your files. It targets higher education institutions, healthcare providers, and private
companies in the US and beyond. So how dangerous is Pysa, and how can you stay safe?
Pysa is a form of human-operated ransomware that encrypts data on a victim’s computer and
demands a ransom for restoring access. Pysa stands for “Protect your system amigo,” which is a
sentence included in the ransom note left on infected devices.
Pysa is categorized as a Ransomware-as-a-Service (RaaS), which means that its developers offer{‘ ‘}
ransomware for other criminal
organizations that don’t have the capabilities of producing their own malicious programs. The
previous version of this ransomware was known as Mespinoza.
The cybercriminals behind Pysa target high-value organizations like government institutions or
healthcare providers that are more time-sensitive. Imagine if a hospital was locked out of its
patients’ data and couldn’t access its IT systems. Every wasted minute could be fatal and lead
to damaged reputation, financial losses, and lawsuits.
Pysa, or Mespinoza ransomware, works by infiltrating the victim’s computer or network and
locking the victim out of their files. Hackers use{‘ ‘}
phishing emails,
brute-force attacks on servers in which the RDP (Remote Desktop Protocol) or AD (Active
Directory) is open to the internet, and{‘ ‘}
social engineering techniques
to spread Pysa ransomware. However, Pysa ransomware distribution also relies on exploiting
vulnerabilities in network infrastructure, for example, insecure remote access systems.
Once inside the system, Pysa encrypts the files and data so that you can’t access them. The
ransomware then displays a ransom note demanding payment, usually in cryptocurrency, in exchange
for a decryption key to unlock the files. Victims are allowed to send two files (no more than 2
MB) to criminals, so they can decrypt them and prove that their ransom demands are serious.
Known for exfiltrating data before encryption, Pysa adds additional pressure for its victims by
threatening to release sensitive information publicly.
Pysa encrypts all non-system files using{‘ ‘}
AES encryption{‘ ‘}
combined with RSA. Even if you
delete the ransomware from your computer and restore your system, your files will still be
inaccessible. When Pysa encrypts your files, they all acquire the .pysa filename extension.
Let’s say you have a file called “cat.avi”. After your device is infected with ransomware, the
filename will change to “cat.avi.pysa”.
Before encrypting your files, hackers steal all the sensitive data from the targeted computer,
so they have leverage against you. If you refuse to meet their ransom demands, they can dump all
the stolen data on the{‘ ‘}
dark web.
However, you can never be sure if hackers will decrypt your files even after paying them.
Cybersecurity experts discourage people from paying criminals and feeding their business model.
The most notorious Pysa ransomware attacks have affected public sector organizations and
industries with sensitive data. Originating in 2019, Pysa ran rampant in 2020 and 2021, and it’s
still active today.
of service for almost two weeks. Criminals posted MyBudget’s name on the dark web along with
those of other businesses they successfully hacked, pressuring them to pay the ransom. The
company’s name was later removed from the dark web, suggesting that they negotiated with the
hackers and met their demands.
attack, which affected its IT services. Several months later, criminals dumped a bunch of
their stolen data online, containing passport details, photo IDs, and staff information.
attacked their computer systems. Public schools are especially vulnerable to cyberattacks
because many of them use outdated software and their staff lack cybersecurity training. The
FBI claims that Pysa has been used against a number of schools in the US and the UK and
continues to search for new victims.
{SHORTCODES.blogRelatedArticles}
Train your staff. Raising awareness among your employees about phishing emails
and ransomware is key to successfully fighting cybercriminals. Many organizations conduct
phishing simulations, so their employees can learn how to identify malicious emails.
Update your software on time. Postponing software updates can put a device at
serious risk because criminals might exploit a bug or vulnerability that software developers
fixed months ago. Even in global corporations you can still find employees running old versions
of software that should have been updated multiple times.
Use strong passwords
.
{‘ ‘}
Make sure to use uppercase and lowercase letters combined with special characters and numbers in
your passwords. It’s important to create unique passwords for all your accounts because one
compromised account could open the gates to other services you use.
Backup your files. Many people think nothing will ever happen to them — until
it does. Don’t take unnecessary risks and always back up your sensitive data. You can never be
sure if you won’t end up with{‘ ‘}
malware, ransomware, or
any other malicious program on your computer.
Apart from software updates and strong passwords, one of the most common ways to improve your
overall digital security is to use a reputable VPN. A
VPN redirects your internet data through an encrypted tunnel, thus improving your online
security. If you often connect to public networks, having a VPN enabled on your device is
crucial for staying safe.
With one NordVPN account, you can protect up to six different devices: laptops, tablets,
smartphones, and more. NordVPN has more than 6,000 servers in 60 countries, providing users with
the best speeds in the VPN industry. While a VPN won’t directly protect against malware
infection, it will raise your overall privacy and security.
Businesses can also benefit from NordLayer, which
allows employees to securely access their company’s data and online resources.
NordVPN also offers the{‘ ‘}
Threat Protection feature
that neutralizes cyber threats before they can do any real damage to your device. It helps you
identify malware-ridden files, stops you from landing on malicious websites,{‘ ‘}
blocks trackers
{‘ ‘}
and{‘ ‘}
stops intrusive ads
{‘ ‘}
on the spot.
Yes, Pysa ransomware is still active. It emerged in 2019 and did the most damage in
2020 and 2021. However, even though Pysa ransomware attacks have decreased since then,
the group behind this malicious software has not ceased its activities.
),
},
{
question: ‘What is a Pysa file?’,
answer: (
A Pysa file is a file that has been encrypted by the Pysa ransomware. When Pysa
encrypts your file, the file’s extension changes to “.pysa.” These files are
inaccessible to you unless you get a decryption key that attackers offer in exchange
for payment. However, paying the ransom does not guarantee that you’ll get your data
back, and can encourage further criminal activity.
),
},
]}
/>
The post Pysa ransomware: What it is and how to protect yourself first appeared on NordVPN.