Malware: Pysa

Description

[Pysa](https://attack.mitre.org/software/S0583) is a ransomware that was first used in October 2018 and has been seen to target particularly high-value finance, government and healthcare organizations.(Citation: CERT-FR PYSA April 2020)

External References

• mitre-attack
• CERT-FR PYSA April 2020
• DFIR Pysa Nov 2020
• NHS Digital Pysa Oct 2020

Techniques Used by This Malware

• T1003.001 — LSASS Memory
• T1016 — System Network Configuration Discovery
• T1021.001 — Remote Desktop Protocol
• T1036.005 — Match Legitimate Resource Name or Location
• T1046 — Network Service Discovery
• T1059.001 — PowerShell
• T1059.006 — Python
• T1070.004 — File Deletion
• T1110 — Brute Force
• T1112 — Modify Registry
• T1486 — Data Encrypted for Impact
• T1489 — Service Stop
• T1490 — Inhibit System Recovery
• T1552.001 — Credentials In Files
• T1562.001 — Disable or Modify Tools
• T1569.002 — Service Execution