Threat Database Ransomware Pysa Ransomware

Pysa Ransomware

The Pysa Ransomware is one of the newest detected ransomware threats. Once the cybersecurity researchers that spotted the Pysa Ransomware, looked into it deeper, they found that this threat belongs to the Mespinoza Ransomware family. Most ransomware threats operate in a rather identical manner – they would infiltrate a targeted system, encrypt the data present on it, and then ask the victim to pay a ransom fee in order to get a decryption key, which is supposed to unlock the affected files. More often than not, authors of ransomware would demand a rather hefty sum, rarely less than several hundred dollars.

Propagation and Encryption

Many creators of ransomware threats opt to use mass spam email campaigns to propagate their file-encrypting Trojans. Normally, this is done with an email that contains a fake message designed to convince the target to launch a seemingly harmless attachment. Unfortunately, the attachment is usually macro-laced and would compromise their system upon executing it. There are several other infection vectors that are rather popular tools for distributing threats of this class – fraudulent software downloads and updates, bogus pirated copies of popular applications or media, torrent trackers, etc. The Pysa Ransomware will make sure to encrypt a large variety of popular file types, which are likely to be found on the PC of any regular user - .mp3, .mp4. .mov, .png, .jpeg, .jpg, .doc, .docx, .ppt, .rar, .xls, .xlsx, etc. Once the Pysa Ransomware applies its encryption algorithm and locks the targeted data, all the affected files will be rendered unusable. The extension, which the Pysa Ransomware appends to the newly locked files, is ‘.pysa.’ For example, an audio file that was called ‘shining-lights.mp3’ before the attack took place, would have its name changed to ‘shining-lights.mp3.pysa’ once this data-locking Trojan encrypts it.

The Ransom Note

After the encryption process has been concluded, the Pysa Ransomware will drop its ransom message in a file named ‘Readme.README.txt.’ The note reads:

’Hi Company,

Every byte on any types of your devices was encrypted.
Don't try to use backups because it were encrypted too.
To get all your data back contact us:
Q: How can I make sure you don't fooling me?
A: You can send us 2 files(max 2mb).
Q: What to do to get all data back?
A: Don't restart the computer, don't move files and write us.
Q: What to tell my boss?
A: Protect Your System Amigo.’

In the ransom message, the attackers make it clear that the user’s data has been compromised and that they will need to pay a ransom fee if they want to recover their data. The authors of the Pysa Ransomware state that they would unlock two files for free, as long as they are not larger than 2MB in size. This is meant to serve as proof that the attackers possess a working decryption tool that is capable of reversing the damage done to the victim’s data. The victims are required to get in touch with the attackers using email, and there are two email addresses provided – ‘’ and ‘’
It is a good measure to keep your distance from shady cyber crooks like the creators of the Pysa Ransomware. Often, even users who give in and pay the demanded ransom fee are left empty-handed when the attackers never send them the decryption key promised. This is why you should download and install a legitimate anti-spyware suite that will wipe off the Pysa Ransomware from your system and ensure that you do not find yourself in this sticky situation in the future.

Related Posts


Most Viewed