Initially observed in 2019, Pysa ransomware has actively targeted organizations in many countries. Once executed on the victim machine, Pysa encrypts the victim files and drops ransom notes to instruct users on how to recover the files in exchange for the ransom amount. It is human-operated ransomware and does not have self-propagation capability. Once the Threat Actor (TA) is done with the data exfiltration from the victim machine or organization, they execute Pysa for the encryption. The Pysa ransomware group is also known for double extortion.
Presently there are 190+ victims of the Pysa ransomware across the world, and the image below shows the Heat Map of countries impacted by the Pysa ransomware.
The top 5 Countries affected by Pysa are the US, UK, Canada, Spain, and Brazil. Pysa has impacted industries like Education, Utilities, Transportation, Construction, Healthcare, and Business Services, etc. The Pysa ransomware group operates from the dark web site pysa2bitc5ldeyfak4seeruqymqs4sj5wt5qkcq7aoyg4h2acqieywad[.]onion, as shown below.
The image below shows the high-level execution diagram of the Pysa ransomware. Initially, the ransomware creates a mutex with the name of Pysa, and later it enumerates drives in the victim’s system. Additionally, it goes through files and directories to search for targeted files having specific extensions that are hardcoded in the malware. Once found, the ransomware appends the ‘.pysa’ extension to the victim files and encrypts the content as a priority, followed by the encryption of the rest of the files. Later it carries out the registry modification and finally creates a file called update.bat for self-deletion.
In this report, Cyble Research Labs has covered the deep-dive analysis of the Pysa ransomware to understand the behaviour and infection mechanism.
Technical Analysis
The Static properties of Pysa ransomware tell us that the ransomware is an x86 Windows Portable Executable (PE) written in the C/C++ language and compiled on 2021-10-11 10:21:04, as shown below.
Upon execution of the ransomware, it creates a process tree, as shown below.
After successful execution, the malware infects the victim’s files and appends the extension, ‘.pysa’, as shown below.
The image below showcases the content of the ransom note in which the TA instructs victims to pay the ransom amount. In case the victim fails to pay the demanded ransom, the TA threatens to upload the data on their leake website or sell it to cybercriminals in the darknet.
Code Analysis
As shown in the below code, the ransomware first creates a mutex with the name “pysa”. The mutex has been designed to ensure that only one instance of the ransomware is running in the victim system at a time.
Later, the ransomware enumerates the victim’s drives using the Application Program Interface (API) GetLogicalDriveStringsW and uses the GetDriveTypeW API to ensure that the drive is a fixed drive (0x03), such as a hard disk.
Once the list of drives is found, the ransomware creates a Thread using the CreateThread API and passes the Drive letter as a parameter for the infection, as shown below.
Each directory that is found by the ransomware is compared with the list below, as the ransomware does not infect files present in the directory list shown below.
Once the malware has found the files present in the victim machine, the ransomware compares the files extension with the list below.
| .doc | .myd | .bkf | .pbf | .zip |
| .xls | .ndf | .bkup | .qic | .rar |
| .docx | .sdf | .bup | .sqb | .cad |
| .xlsx | .trc | .fbk | .tis | .dsd |
| .wrk | .mig | .vbk | .dwg | |
| .db | .001 | .spf | .vbm | .pla |
| .db3 | .acr | .vhdx | .vrb | .pln |
| .frm | .bac | .vfd | .win | |
| .ib | .bak | .avhdx | .pst | |
| .mdf | .backupdb | .vmcx | .mdb | |
| .mwb | .bck | .vmrs | .7z |
Once the victim’s file extension matches with the above list, the ransomware Call MoveFileW API to append the .pysa extension as shown in the below figure.
As shown in the below code, the ransomware reads the content from the files.
Once the plain text content has been read, it encrypts it using Advanced Encryption Standard (AES) 256 and then writes the encrypted content into the file.
Once the above process is done, the ransomware creates ransom notes and encrypts the remaining files in the victim machine.
Furthermore, the Pysa ransomware creates two registry keys under HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System, with the name legalnoticetext having value as Ransom note content and legalnoticecaption having values as PYSA, as shown in the below code.
Ransomware created entry legalnoticetext and inserted content ransom note.
Another entry is created with the name of legalnoticetext and having content PYSA.
Finally, the ransomware releases the mutex and a update.bat file under the Temp folder of the currently logged-in user containing the content below.
| :Repeat del “C:\\Users\\MalWorkstation\\Desktop\\Evil2.exe” if exist “C:\\Users\\MalWorkstation\\Desktop\\Evil2.exe” goto Repeat rmdir “C:\\Users\\MalWorkstation\\Desktop” del “C:\\Users\\MALWOR~1\\AppData\\Local\\Temp\\update.bat”” |
Using the above code, the malware performs the self-Delete operation to delete its traces.
Conclusion
The Pysa ransomware has multiple victims around the world, and the initial execution is manual after the TA exfiltrates the data from the victim’s machine. The Pysa ransomware is one of the many ransomware presented on the surface web that can encrypt user files using a strong encryption algorithm and leave ransom notes for instructing users on how to recover the files.
Cyble Research Labs is continuously monitoring Pysa’s activities, and we keep informing our clients with recent updates about this campaign.
Our Recommendations
We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the suggestions given below:
- Use strong passwords and enforce multi-factor authentication wherever possible.
- Turn on the automatic software update feature on your computer, mobile, and other connected devices wherever possible and pragmatic.
- Use a reputed anti-virus and Internet security software package on your connected devices, including PC, laptop, and mobile.
- Refrain from opening untrusted links and email attachments without verifying their authenticity.
- Conduct regular backup practices and keep those backups offline or in a separate network.
MITRE ATT&CK® Techniques
| Tactic | Technique ID | Technique Name |
| Initial access | T1566 | Phishing |
| Execution | T1204 | User Execution |
| Discovery | T1082 | System Information Discovery |
| Defense Evasion | T1112 | Modify Registry |
| Impact | T1490 T1489 T1486 | Inhibit System Recovery Service Stop Data Encrypted for Impact |
Indicators of Compromise (IoCs):
| Indicators | Indicator type | Description |
| 7c774062bc55e2d0e869d5d69820aa6e3b759454dbc926475b4db6f7f2b6cb14 | SHA-256 | Pysa Ransomware |
| pysa2bitc5ldeyfak4seeruqymqs4sj5wt5qkcq7aoyg4h2acqieywad[.]onion | TOR-URL | TAs Website |
| kardalkareefhaddad@onionmail.org | TAs Email |
Generic signatures and Rules:
Yara Rules:
rule win32_pysaransomware
{
meta:
author= "Cyble Research"
date= "2021-11-25"
description= "Coverage for Pysa Ransomware"
hash= "7c774062bc55e2d0e869d5d69820aa6e3b759454dbc926475b4db6f7f2b6cb14"
strings:
$header= "MZ"
$sig1 = "Readme.README" wide ascii
$sig2 = "n.pysa" wide ascii
$sig3 = "pysa2bitc5ldeyfak4seeruqymqs4sj5wt5qkcq7aoyg4h2acqieywad.onion" wide ascii
$sig4 = "kardalkareefhaddad@onionmail.org" wide ascii
$sig5 = "Every byte on any types of your devices was encrypted." wide ascii
$sig6 = "To get all your data back contact us" wide ascii
condition:
$header at 0 and (4 of ($sig*))
}