Overview
Pysa Ransomware, also known as Mespinoza Ransomware, is an extremely dangerous file-encrypting virus which is known for encrypting users’ crucial files and data stored on their systems. Victims are demanded to pay a ransom fee in order to get a decryption key, which is supposed to unlock all affected files. Pysa ransomware has so far impacted a variety of industries, but the main sector targeted amid a pandemic, with almost 25% of the total Pysa victims, is the Healthcare industry. However, the Financial, IT, Non-Profit, Public Sector and food services industries have also been seen as popular targets.
How Pysa Infects
Normally, this is done via a phishing email that contains a fake message designed to convince the target to launch a seemingly harmless attachment. Unfortunately, the attachment is usually macro-laced and would compromise their system upon executing it. There are several other infection vectors that are popular tools for distributing this ransomware – fraudulent software downloads and updates, bogus pirated copies of popular applications or media, torrent trackers, for example. The Pysa Ransomware will make sure to encrypt a large variety of popular file types, which are likely to be found on the PC of any regular user – .mp3, .mp4. .mov, .png, .jpg, .docx, .pptx, .xlsx, .rar, to name a few. Once the Pysa Ransomware has applied its encryption algorithm and locks all targeted data, any affected file will have the “.pysa” extension appended to the filename, rendering them unusable. For example, an Excel Document that was called ‘accounts_2020.xlsx’ before the attack took place, would have its name changed to ‘accounts_2020.xlsx.pysa’ once the attack has taken place.
In addition, Pysa also creates a text file named “Readme.README.txt” containing a ransom message containing instructions on how to recover the affected files. Like most programs of this type, Pysa encrypts files with a strong encryption algorithm. Therefore, victims cannot regain access to their files unless they decrypt them with a specific decryption tool and/or key. In order to regain access to data, victims are urged to contact Pysa’s developers via one of two emails listed within the ransom message. The cyber criminals will then send instructions on how to pay the ransom fee. However, victims are permitted to send two encrypted files, which the criminals offer to decrypt free of charge. Typically, cyber criminals often employ this method to ‘prove’ that they have tools that can decrypt the compromised files – only the cyber criminals who developed this ransomware have valid tools. Regardless, they cannot be trusted – people who trust cyber criminals and pay ransoms are often scammed and do not receive the decryption tools/keys as they were promised. Typically, the only free and safe way to recover files is to restore them from a backup. Even if the ransomware is uninstalled from the operating system, all files remain encrypted – Removal simply prevents it from causing further encryption.
Prevention
Organisations should provide training to all employees in order raise awareness, helping them spot a phishing email, reinforcing that they do not open any attachments or web links contained within a suspected phishing email. In many cases, these emails are sent from unknown, suspicious addresses. Cyber criminals usually disguise their emails as important or official in order to lead the victim into a false sense of security.
Keep installed software up to date making use of implemented functions and tools provided by official software developers, like automatic updates for example. Any software or files should always be downloaded from official and trustworthy sources, and via direct links – all other sources should not be trusted. Remember to never activate new software using unofficial activation methods/tools as they often infect systems in the activation process.
Finally, regularly scan the operating system and all files with a reputable antivirus or anti-spyware suite remembering to also keep this software up to date.
If you have any questions, please feel free to contact us.