Pysa

The Pysa (Protect Your System Amigo) ransomware group emerged in July 2020 as a financially motivated cybercriminal organization that has impacted over 300 victims globally through systematic targeting of critical infrastructure sectors. The group is believed to operate independently rather than as a Ransomware-as-a-Service model, with suspected origins traced to Eastern European cybercriminal networks, though definitive attribution remains unconfirmed by law enforcement agencies. Pysa operators typically gain initial access through exploitation of Remote Desktop Protocol vulnerabilities, phishing campaigns, and exploitation of unpatched systems, employing tools such as PowerShell Empire, Cobalt Strike, and custom backdoors before deploying their ransomware payload that utilizes RSA and AES encryption algorithms. The group engages in double extortion tactics, systematically exfiltrating sensitive data before encryption and threatening public release through their "Partner Sites" leak platform if ransom demands are not met. Notable campaigns include attacks against major educational institutions, healthcare systems, and government entities primarily in the United States, United Kingdom, Italy, and Canada, with particular focus on the education and healthcare sectors during the COVID-19 pandemic, drawing significant attention from CISA and FBI advisories warning of their targeting of critical infrastructure. Law enforcement agencies including the FBI have issued multiple alerts regarding Pysa's activities, though the group has demonstrated resilience and continued operations despite increased scrutiny, with recent activity suggesting they remain active as of 2024.