PYSA

Pysa is a variant of the strain known as Mespinoza and is Ransomware as a Service (RaaS) that the attackers sell access to. It typically targets high-level institutions and it acts in a similar manner to other ransomware tools Sodinokibi and Ryuk. The most common sector appears to be education, but other victims include those in manufacturing, medical, construction, transport, retail, and local governments. The malware gets into a system through phishing scams, RDP attacks, or brute-force attacks. Once inside, it steals account credentials, financial data, legal documents, and other forms of sensitive information. Then, as is typical of ransomware, it encrypts the machines on the network and the attackers demand money to decrypt the data, typically in the form of cryptocurrency. The data is posted to a group-controlled website that displays the slogan “Protect Your System Amigo.”