Pysa, also referred to as Mespinoza, is a ransomware family first observed in October 2019 via malspam. A newer variant appeared in December 2019 and became commonly known as Pysa because it appends the .pysa extension to encrypted files. The malware is associated with double-extortion activity, including encryption and theft of victim data, and has been linked in the provided content to the PYSA ransomware gang’s 2020 attack on Assured Imaging, where patient data was encrypted and stolen, affecting nearly 245,000 individuals. The content also notes Pysa activity impacting K-12 school districts and references a 2021 attack involving a Pysa variant that led to a HIPAA breach investigation.
Documented capabilities in the provided content include use of RSA and AES-CBC to encrypt targeted file extensions; modification of the registry key SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System, including adding the ransom note; use of PowerShell scripts to deploy the ransomware; stopping antivirus services and disabling Windows Defender; deletion of shadow copies; credential extraction from the password database before file encryption; OS credential dumping with Mimikatz; brute-force attempts against a central management console and some Active Directory accounts; network reconnaissance using Advanced Port Scanner; and lateral movement via RDP connections. The malware has also been reported using PsExec to copy and execute the ransomware and executing a malicious binary named svchost.exe.
Behavioral analysis in the content states that Mespinoza/Pysa avoids encrypting certain Windows and critical operating system directories, checks removable media and shared network drives using GetDriveTypeW, looks for SQL-related processes, and runs verclsid.exe during execution. The CLSIDs observed were tied to C:\Windows\system32\SearchFolder.dll and a Microsoft SQL Server IDBProperties component. An encrypted key is appended to the end of each encrypted file. One analyzed sample did not delete Volume Shadow Copies, although other provided references state that Pysa has that functionality. Known sample hashes in the content include SHA-256 a18c85399cd1ec3f1ec85cd66ff2e97a0dcf7ccb17ecf697a5376da8eda4d327 and e9662b468135f758a9487a1be50159ef57f3050b753de2915763b4ed78839ead. Ransom note contact addresses mentioned in the content include raingemaximo@protonmail.com, gareth.mckie3l@protonmail.com, aireyeric@protonmail.com, ellershaw.kiley@protonmail.com, mespinoza980@protonmail.com, alanson_street8@protonmail.com, and lambchristoffer@protonmail.com.
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
28 distinct techniques documented for this family, organized by ATT&CK tactic.
The content repeatedly describes threat actors and malware using PowerShell scripts/commands for execution, download, staging, reconnaissance, persistence, credential access, lateral movement, and defense evasion; e.g., "Sandworm Team used PowerShell scripts to run a credential harvesting tool in memory to evade defenses."
"Anchor can create and execute services to load its payload"; "APT32's backdoor has used Windows services as a way to execute its malicious payload"; "Ragnar Locker has used sc.exe to execute a service that it creates"; "Shamoon creates a new service named 'ntssrv' to execute the payload"
During the 2015 Ukraine Electric Power Attack, Sandworm Team modified in-registry Internet settings to lower internet security before launching rundll32.exe ... AADInternals can modify registry keys ... ADVSTORESHELL is capable of setting and deleting Registry values ... [many additional examples].
During the 2016 Ukraine Electric Power Attack, DLLs and EXEs with filenames associated with common electric power sector protocols were used to masquerade files.
During the 2015 Ukraine Electric Power Attack, Sandworm Team modified in-registry Internet settings to lower internet security before launching rundll32.exe ... AADInternals can modify registry keys ... ADVSTORESHELL is capable of setting and deleting Registry values ... [many additional examples].
Multiple actors and tools are described as using Mimikatz/Windows Credential Editor/LaZagne/ProcDump to “dump credentials,” often by targeting LSASS memory (e.g., “used Mimikatz to capture and use legitimate credentials,” “dumped the LSASS process memory using the MiniDump function,” “injecting itself into lsass.exe”).
"Sandworm Team used a script to attempt RPC authentication against a number of hosts"; "Agrius engaged in various brute forcing activities via SMB"; "Chaos conducts brute force attacks against SSH services to gain initial access"; "Fox Kitten has brute forced RDP credentials"; "Turla may attempt to connect ... using net use commands and a predefined list ... of passwords."
"...extract credentials from configuration or support files." / "...search for files containing passwords." / "...obtained administrative credentials by browsing through local files..."
AADInternals can gather unsecured credentials for Azure AD services, such as Azure AD Connect, from a local machine. Agent Tesla has the ability to extract credentials from configuration or support files. APT3 has a tool that can locate credentials in files on the file system such as those from Firefox or Chrome.
The content repeatedly describes malware and threat actors using commands and APIs such as ipconfig /all, ifconfig, arp -a, route print, nbtstat, netsh, GetAdaptersInfo, and GetIpNetTable to gather IP addresses, MAC addresses, DNS, DHCP, gateways, routing tables, ARP cache, proxy settings, domains, and network adapter/interface details.
During C0018, the threat actors ran nslookup and Advanced IP Scanner on the target network. GALLIUM ran a modified version of NBTscan to identify available NetBIOS name servers. menuPass used several tools to scan for open NetBIOS nameservers and enumerate NetBIOS sessions. Threat Group-3390 actors use NBTscan to discover vulnerable systems.
During the 2025 Poland Wiper Attacks, adversaries utilized RDP to log into jump hosts and then moved laterally to other victim devices to include a domain controller.
"PsExec ... can be used to execute binaries on remote systems using a temporary Windows service"; "RemoteCMD can execute commands remotely by creating a new service on the remote system"; "Winexe installs a service on the remote system, executes the command, then uninstalls the service"
The PYSA ransomware gang in 2020 encrypted and stole Assured Imaging's patient data, affecting nearly 245,000 individuals.
On top of client applications such as those provided by Mega, many ransomware families may use other software or built-in operating system utilities to exfiltrate data. We’ll use Mega as the example here... you can look for execution of any process that is not chrome.exe ... initiating a network connection to the domains mega.io or mega.co.nz .
The PYSA ransomware gang in 2020 encrypted and stole Assured Imaging's patient data, affecting nearly 245,000 individuals.
It will also specifically look for SQL related processes. I will have to confirm this with a debugger, but most of the time database processes are killed by Ransomware to disrupt the service and make the files available for encryption.
Akira will delete system volume shadow copies via PowerShell commands. Avaddon deletes backups and shadow copies using native system tools. Babuk has the ability to delete shadow volumes using vssadmin.exe delete shadows /all /quiet. BlackCat can delete shadow copies using vssadmin.exe delete shadows /all /quiet and wmic.exe Shadowcopy Delete; it can also modify the boot loader using bcdedit /set {default} recoveryenabled No.
The content repeatedly describes threat actors and malware disabling, stopping, uninstalling, or modifying antivirus, EDR, Windows Defender, AMSI, logging, and other security controls.
Examples include 'Aquatic Panda has attempted to stop endpoint detection and response (EDR) tools', 'BlackByte disabled security tools such as Windows Defender', 'Scattered Spider has uninstalled and disabled security tools', and many malware families terminating AV/EDR processes or services.
2 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
40 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Ransomware used to encrypt and steal victim data in attacks against healthcare-related organizations.
Ransomware family referenced in related article titles involving attacks on school districts.
Pysa is a ransomware variant known for targeting organizations, encrypting files, and demanding payment for decryption. It has been involved in attacks against healthcare providers, leading to data breaches and regulatory penalties.
Pysa is a ransomware variant known for targeting organizations, encrypting files, and demanding payment for decryption. It has been involved in attacks against healthcare providers, leading to data breaches and regulatory penalties.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.