The Pysa (Protect Your System Amigo) ransomware group emerged in July 2020 as a financially motivated cybercriminal organization that has impacted over 300 victims globally through systematic targeting of critical infrastructure sectors. The group is believed to operate independently rather than as a Ransomware-as-a-Service model, with suspected origins traced to Eastern European cybercriminal networks, though definitive attribution remains unconfirmed by law enforcement agencies. Pysa operators typically gain initial access through exploitation of Remote Desktop Protocol vulnerabilities, phishing campaigns, and exploitation of unpatched systems, employing tools such as PowerShell Empire, Cobalt Strike, and custom backdoors before deploying their ransomware payload that utilizes RSA and AES encryption algorithms. The group engages in double extortion tactics, systematically exfiltrating sensitive data before encryption and threatening public release through their "Partner Sites" leak platform if ransom demands are not met. Notable campaigns include attacks against major educational institutions, healthcare systems, and government entities primarily in the United States, United Kingdom, Italy, and Canada, with particular focus on the education and healthcare sectors during the COVID-19 pandemic, drawing significant attention from CISA and FBI advisories warning of their targeting of critical infrastructure. Law enforcement agencies including the FBI have issued multiple alerts regarding Pysa's activities, though the group has demonstrated resilience and continued operations despite increased scrutiny, with recent activity suggesting they remain active as of 2024. The group has been linked to 309 public disclosures across our corpus. First observed on a leak site on July 1, 2020; most recent post September 20, 2022. The operation is currently inactive.
Also tracked as: Mespinoza, Pyza.
How we know this. Darkfield monitors public ransomware leak sites continuously, archiving every new disclosure and the data later released against the victim. Each entry on this page is sourced from the operator's own publication and cross-checked against complementary OSINT feeds (RansomLook, ransomware.live, RansomWatch). We do not collect or host stolen data — only the metadata, timestamps and screenshots needed to make the public disclosure searchable and accountable. Records here are corrected when the original post is edited, retracted, or merged with another disclosure.
