(NOTE: The following information is a summary of a March 16, 2021 FBI Cyber Division memo. If you have experienced a PYSA ransomware attack — or perhaps you’re not sure if you have — reach out to Sherpa Software. We are currently working with clients to scan mailboxes and uncover suspect domains with the PYSA malware attachment.)

Since March 2020, the FBI has been aware of PYSA (also known as Mespinoza) ransomware attacks against the U.S. and foreign government entities, private companies, the healthcare sector and especially, educational institutions. PYSA typically gains unauthorized access to victim networks by compromising remote desktop protocol (RDP) credentials and/or through phishing emails.

Cyber attackers use Advanced Port Scanner and Advanced IP Scanner1 to conduct network reconnaissance and install open-source tools such as PowerShell Empire2, Koadic3 and Mimikatz4. Next, they execute commands to deactivate antivirus capabilities on the victim network prior to deploying the ransomware. Using the free open-source tool WinSCP5, they encrypt all connected Windows and/or Linux devices and data, rendering critical files, databases, virtual machines, backups and applications inaccessible to users. In previous incidents, cyber actors took employment records that contained personally identifiable information (PII), payroll tax information and other data that could be used to extort victims.

Like other ransomware, a detailed message is generated and displayed on the victim’s login or lock screen. It tells the victim how to contact the cyber attacker via email, displays frequently asked questions (FAQs) and offers to decrypt the affected files. If the ransom is not met, the actors warn that the information will be uploaded and monetized on the darknet. Additionally, the malware is dropped in a user folder, such as C:\Users\%username%\Downloads\. Observed instances of the malware showed a filename of svchost.exe, which is most likely an effort by the cyber actors to trick victims and disguise the ransomware as the generic Windows host process name. In some instances, the actors removed the malicious files after deployment, resulting in victims not finding any malicious files on their systems.

The cyber actors have uploaded stolen data to MEGA.NZ — a cloud storage and file-sharing service — by uploading the data through the MEGA website or by installing the MEGA client application directly on a victim’s computer. However, in the past actors have used other methods of exfiltrating data that leaves less evidence of what was stolen.

1The cyber actors used the Advanced Port Scanner and Advanced IP Scanner by FAMATECH, which is an open-source tool that allows users to find open network computers and discover the versions of programs on those ports.
2PowerShell Empire is a post-exploitation toolkit that provides the ability to run PowerShell agents without needing powershell.exe, as well as provide modules ranging from keyloggers to Mimikatz, and adaptable communication to avoid network detection.
3Koadic is an open-source penetration toolkit that has several options for staging payloads and creating implants.
4Mimikatz is an open-source post-exploitation toolkit that pulls passwords from memory, as well as hashes, and other authentication credentials.
5WinSCP is an open-source tool that provides secure file transfer between local and remote computer systems. 

Indicators

The following are characteristics of the compromise:

Indicators
File Extension of
Encrypted Files
.pysa
Observed Malware
Filename
\Users\%username%\Downloads\svchost.exe
SHA1 Hashes6 Unknown 07cb2a3fe86414b054e2b002f283935bb0cb993c
svchost.exe 52b2fc13ec0dbf8a0250c066cd3486b635a27827
svchost.exe 728CB56F98EDBADA697FE66FBF7D367215271F10
17535.pyz c74378a93806628b62276195f9657487310a96fd
Step2.ps1 24c592ad9b21df380cb4f39a85d4375b6a8a6175
sshs.exe or
explorer.exe
f2dda8720a5549d4666269b8ca9d629ea8b76bdf
Tor URLs Tor URLs: pysa2bitc5ldeyfak4seeruqymqs4sj5wt5qkcq7aoyg4h2acqieywad.onion
na47pldl5eoqxt42.onion/

The following domains are associated with this activity:

Domains Found in Ransom Notes
ced_cririele93@protonmail.com veronabello@onionmail.org
irvingalfie@protonmail.com giuliacabello@onionmail.org
gustaf.wixon@protonmail.com avitacabrera@protonmail.com
ralfgriffin@protonmail.com domenikuvoker@protonmail.com
korgy.torky@protonmail.com mespinoza980@protonmail.com
astion11@protonmail.com ellershaw.kiley@protonmail.com
Bfgkwethnsb@protonmail.com jonivaeng@protonmail.com
Logan_A_Gray@protonmail.com alanson_street8@protonmail.com
rafaeldari@onionmail.org raingemaximo@protonmail.com
Abelzackary@onionmail.org mcpherson.artair@protonmail.com
Elliotstaarss1@protonmail.com lambchristoffer@protonmail.com
TimWestbrook@onionmail.org gareth.mckie3l@protonmail.com
PaulDade@onionmail.org rohrbacherlucho@protonmail.com
CarmenWashingtonGton@portonmail.com aireyeric@protonmail.com
cozmo.storton@protonmail.com noblecocking@protonmail.com
karim.abson@protonmail.com presleybarry63@protonmail.com
chettle.willem@protonmail.com duncan_cautherey@protonmail.com
dalliss.prout96@protonmail.com shdujdsh@protonmail.com
karkeck.arch@protonmail.com ihdtwesfs@portonmail.com
keefe.mcmeckan@protonmail.com williamjohnson1963@protonmail.com
keepupchell@protonmail.com casualstroons@portonmail.com
gabriel8970@protonmail.com izak.pollington@protonmail.com
masonhoyt@onionmail.org t_trstram@protonmail.com
merry.lane@mailfence.com willmottlem01@protonmail.com
Jamesy.kettlewell@protonmail.com BettyRacine@protonmail.com
platt.lucais@protonmail.com Ohsgsuywb@protonmail.com
jarret.wharram@protonmail.com Lojdgseywu@protonmail.com
hewitt_rogers@protonmail.com Johnbeamvv@protonmail.com
thorvald_beattie@protonmail.com rewhgsch@protonmail.com
warden_riddoch@protonmail.com lhdbeysdq@protonmail.com
cowland_lothaire@protonmail.com mario1@mailfence.com
Nickola_men@protonmail.com

6As the cyber actors continue to develop the malicious codes, the filenames and SHA1 hashes will change and evolve.

Recommended Mitigations 

  • Regularly back up data, air gap and password-protect backup copies offline. Ensure copies of critical data are not accessible for modification or deletion from the system where the data resides.
  • Implement network segmentation.
  • Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, secure location (i.e., hard drive, storage device, the cloud).
  • Install updates/patch operating systems, software, and firmware as soon as they are released.
  • Use multi-factor authentication where possible.
  • Regularly, change passwords to network systems and accounts, and avoid reusing passwords for different accounts. Implement the shortest acceptable timeframe for password changes.
  • Disable unused remote access/RDP ports and monitor remote access/RDP logs.
  • Audit user accounts with administrative privileges and configure access controls with the least privilege in mind.
  • Install and regularly update anti-virus and anti-malware software on all hosts.
  • Only use secure networks and avoid using public Wi-Fi networks. Consider installing and using a VPN.
  • Consider adding an email banner to messages coming from outside your organizations.
  • Disable hyperlinks in received emails.

Focus on awareness and training. Provide users with training on information security principles and techniques as well as overall emerging cybersecurity risks and vulnerabilities (i.e., ransomware and phishing scams).

Next Steps

The FBI does not encourage paying ransoms because the payment does not guarantee files will be recovered. It may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware and/or fund illicit activities. However, the FBI understands that when victims are faced with an inability to function, all options are evaluated to protect shareholders, employees and customers. Regardless of whether your organization decided to pay the ransom, the FBI urges you to report ransomware incidents to your local FBI field office or the FBI’s Internet Crime Complaint Center (IC3). Doing so provides the FBI with critical information needed to prevent future attacks by identifying and tracking ransomware attackers and holding them accountable under U.S. law.

If you find any of these indicators on your networks, or have related information, please contact FBI CYWATCH immediately.

Email: cywatch@fbi.gov
Phone: 1-855-292-3937