Pysa
Associated Software Descriptions
| Name | Description |
|---|---|
| Mespinoza |
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1110 | Brute Force |
Pysa has used brute force attempts against a central management console, as well as some Active Directory accounts.[1] |
|
| Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell |
Pysa has used Powershell scripts to deploy its ransomware.[1] |
| .006 | Command and Scripting Interpreter: Python | |||
| Enterprise | T1486 | Data Encrypted for Impact |
Pysa has used RSA and AES-CBC encryption algorithm to encrypt a list of targeted file extensions.[1] |
|
| Enterprise | T1562 | .001 | Impair Defenses: Disable or Modify Tools |
Pysa has the capability to stop antivirus services and disable Windows Defender.[1] |
| Enterprise | T1070 | .004 | Indicator Removal on Host: File Deletion | |
| Enterprise | T1490 | Inhibit System Recovery | ||
| Enterprise | T1036 | .005 | Masquerading: Match Legitimate Name or Location |
Pysa has executed a malicious executable by naming it svchost.exe.[1] |
| Enterprise | T1112 | Modify Registry |
Pysa has modified the registry key "SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" and added the ransom note.[1] |
|
| Enterprise | T1046 | Network Service Scanning |
Pysa can perform network reconnaissance using the Advanced Port Scanner tool.[1] |
|
| Enterprise | T1003 | .001 | OS Credential Dumping: LSASS Memory | |
| Enterprise | T1021 | .001 | Remote Services: Remote Desktop Protocol | |
| Enterprise | T1489 | Service Stop | ||
| Enterprise | T1016 | System Network Configuration Discovery |
Pysa can perform network reconnaissance using the Advanced IP Scanner tool.[1] |
|
| Enterprise | T1569 | .002 | System Services: Service Execution | |
| Enterprise | T1552 | .001 | Unsecured Credentials: Credentials In Files |
Pysa has extracted credentials from the password database before encrypting the files.[1] |