Pysa Ransomware Under the Lens: A Deep-Dive Analysis

Share on linkedin
Share on twitter
Share on whatsapp
Share on facebook
Share on telegram
Share on email

Initially observed in 2019, Pysa ransomware has actively targeted organizations in many countries. Once executed on the victim machine, Pysa encrypts the victim files and drops ransom notes to instruct users on how to recover the files in exchange for the ransom amount. It is human-operated ransomware and does not have self-propagation capability. Once the Threat Actor (TA) is done with the data exfiltration from the victim machine or organization, they execute Pysa for the encryption. The Pysa ransomware group is also known for double extortion.

Presently there are 190+ victims of the Pysa ransomware across the world, and the image below shows the Heat Map of countries impacted by the Pysa ransomware.

Figure 1 Pysa Ransomware Heat Map

The top 5 Countries affected by Pysa are the US, UK, Canada, Spain, and Brazil.  Pysa has impacted industries like Education, Utilities, Transportation, Construction, Healthcare, and Business Services, etc. The Pysa ransomware group operates from the dark web site pysa2bitc5ldeyfak4seeruqymqs4sj5wt5qkcq7aoyg4h2acqieywad[.]onion, as shown below.

Figure 2 TOR Website of Pysa Ransomware group

The image below shows the high-level execution diagram of the Pysa ransomware. Initially, the ransomware creates a mutex with the name of Pysa, and later it enumerates drives in the victim’s system. Additionally, it goes through files and directories to search for targeted files having specific extensions that are hardcoded in the malware. Once found, the ransomware appends the ‘.pysa’ extension to the victim files and encrypts the content as a priority, followed by the encryption of the rest of the files. Later it carries out the registry modification and finally creates a file called update.bat for self-deletion.

Figure 3 High-level Execution Flow of Pysa Ransomware

In this report, Cyble Research Labs has covered the deep-dive analysis of the Pysa ransomware to understand the behaviour and infection mechanism.

Technical Analysis

The Static properties of Pysa ransomware tell us that the ransomware is an x86 Windows Portable Executable (PE) written in the C/C++ language and compiled on 2021-10-11 10:21:04, as shown below.

Figure 4 Static Information of Pysa

Upon execution of the ransomware, it creates a process tree, as shown below.

Figure 5 Process Tree

After successful execution, the malware infects the victim’s files and appends the extension, ‘.pysa’, as shown below.

Figure 6 Ransomware appends .pysa extension

The image below showcases the content of the ransom note in which the TA instructs victims to pay the ransom amount. In case the victim fails to pay the demanded ransom, the TA threatens to upload the data on their leake website or sell it to cybercriminals in the darknet.

Figure 7 Ransom Note Created by P

Code Analysis

As shown in the below code, the ransomware first creates a mutex with the name “pysa”. The mutex has been designed to ensure that only one instance of the ransomware is running in the victim system at a time.

Figure 8 Code for creating Mutex

Later, the ransomware enumerates the victim’s drives using the Application Program Interface (API) GetLogicalDriveStringsW and uses the GetDriveTypeW API to ensure that the drive is a fixed drive (0x03), such as a hard disk.

Figure 9 Enumerates Drives and Checks if the Drive is a Fixed drive

Once the list of drives is found, the ransomware creates a Thread using the CreateThread API and passes the Drive letter as a parameter for the infection, as shown below.    

Figure 10 Creates Thread for Infection

Each directory that is found by the ransomware is compared with the list below, as the ransomware does not infect files present in the directory list shown below.

Figure 11 Whitelisted Directories

Once the malware has found the files present in the victim machine, the ransomware compares the files extension with the list below.
Table 1 Targeted File Extension

Once the victim’s file extension matches with the above list, the ransomware Call MoveFileW API to append the .pysa extension as shown in the below figure.

Figure 12 Appends .pysa Extension

As shown in the below code, the ransomware reads the content from the files.

Figure 13 Reads Plain Text Content

Once the plain text content has been read, it encrypts it using Advanced Encryption Standard (AES) 256 and then writes the encrypted content into the file.

Figure 14 Write Encrypted Content into the File

Once the above process is done, the ransomware creates ransom notes and encrypts the remaining files in the victim machine.

Furthermore, the Pysa ransomware creates two registry keys under HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System, with the name legalnoticetext having value as Ransom note content and legalnoticecaption having values as PYSA, as shown in the below code.

Figure 15 Create registry entry legalnoticetext and legalnoticecaption

Ransomware created entry legalnoticetext and inserted content ransom note.

Figure 16 Creates registry legalnoticetext

Another entry is created with the name of legalnoticetext and having content PYSA.

Figure 17 Creates registry legalnoticecaption

Finally, the ransomware releases the mutex and a update.bat file under the Temp folder of the currently logged-in user containing the content below.

del “C:\\Users\\MalWorkstation\\Desktop\\Evil2.exe”
if exist “C:\\Users\\MalWorkstation\\Desktop\\Evil2.exe” goto Repeat
rmdir “C:\\Users\\MalWorkstation\\Desktop”
del “C:\\Users\\MALWOR~1\\AppData\\Local\\Temp\\update.bat””
Table 2 Content of update.bat

Using the above code, the malware performs the self-Delete operation to delete its traces.


The Pysa ransomware has multiple victims around the world, and the initial execution is manual after the TA exfiltrates the data from the victim’s machine. The Pysa ransomware is one of the many ransomware presented on the surface web that can encrypt user files using a strong encryption algorithm and leave ransom notes for instructing users on how to recover the files.

Cyble Research Labs is continuously monitoring Pysa’s activities, and we keep informing our clients with recent updates about this campaign.

Our Recommendations

We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the suggestions given below:

  • Use strong passwords and enforce multi-factor authentication wherever possible.
  • Turn on the automatic software update feature on your computer, mobile, and other connected devices wherever possible and pragmatic. 
  • Use a reputed anti-virus and Internet security software package on your connected devices, including PC, laptop, and mobile.   
  • Refrain from opening untrusted links and email attachments without verifying their authenticity.
  • Conduct regular backup practices and keep those backups offline or in a separate network.

MITRE ATT&CK® Techniques

TacticTechnique IDTechnique Name
Initial accessT1566Phishing
ExecutionT1204User Execution
DiscoveryT1082System Information Discovery
Defense EvasionT1112Modify Registry
Inhibit System Recovery
Service Stop
Data Encrypted for Impact

Indicators of Compromise (IoCs):

IndicatorsIndicator typeDescription
7c774062bc55e2d0e869d5d69820aa6e3b759454dbc926475b4db6f7f2b6cb14SHA-256Pysa Ransomware
pysa2bitc5ldeyfak4seeruqymqs4sj5wt5qkcq7aoyg4h2acqieywad[.]onionTOR-URLTAs Website
kardalkareefhaddad@onionmail.orgEmailTAs Email

Generic signatures and Rules:

Yara Rules:

rule win32_pysaransomware
	author= "Cyble Research"  
	date= "2021-11-25"  
	description= "Coverage for Pysa Ransomware"  
	hash= "7c774062bc55e2d0e869d5d69820aa6e3b759454dbc926475b4db6f7f2b6cb14"  
		$header= "MZ"  
		$sig1 = "Readme.README" wide ascii  
		$sig2 = "n.pysa" wide ascii  
		$sig3 = "pysa2bitc5ldeyfak4seeruqymqs4sj5wt5qkcq7aoyg4h2acqieywad.onion" wide ascii  
		$sig4 = "" wide ascii  
		$sig5 = "Every byte on any types of your devices was encrypted." wide ascii  
		$sig6 = "To get all your data back contact us" wide ascii  
		$header at 0 and (4 of ($sig*))  


Scroll to Top