• Services
    • Assess
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Transform
      • SOC Consultancy
      •     SOC Maturity Assessment
      •     SOC Model Evaluation
      •     SOC Gap Analysis
      •     SIEM Gap Analysis
      •     SIEM Optimization
      •     SOC Content Pack
    • Train
      • Security Awareness and Training
      • Tabletop Exercise
      • Simulated Cyber Attack Exercises
    • Respond
      • Incident Response
      • Incident Analysis
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
Rewterz Threat Alert – Pekraut-RAT
April 8, 2020
Rewterz Threat Alert – Dark Nexus – Emerging IoT Botnet Malware Spotted in the Wild
April 9, 2020

Rewterz Threat Alert – PYSA Ransomware

April 8, 2020

Severity

High

Analysis Summary

The ANSSI was recently informed of computer attacks. During these attacks, ransomware-type malware was used, rendering certain files unusable. The origin of these attacks is unknown to date, and analyses are currently underway. The compromise presented in this document has affected interconnected information systems, and appears to mainly use a variant of ransomware known as open source as Mespinoza. 

The Mespinoza ransomware has been used since October 2018 at least. Early versions produced files
encrypted with the extension “.locked”, common to many ransomware. Since December 2019, a new version of Mespinoza is documented in open source, sometimes called Pysa because it produces files
encrypted with the extension “.pysa”.

Impact

File encryption

Indicators of Compromise

SHA-256

  • 4770A0447EBC83A36E590DA8D01FF4A418D58221C1F44D21F433AAF18FAD5A99
  • 6661B5D6C8692BD64D2922D7CE4641E5DE86D70F5D8D10AB82E831A5D7005ACB

Remediation

  • Block all threat indicators at your respective controls.
  • Always be suspicious about emails sent by unknown senders.
  • Never click on the links/attachments sent by unknown senders.
  • Services
    • Assess
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Respond
      • Incident Response
      • Incident Analysis
  • Transform
    • SOC Consultancy
    •     SOC Maturity Assessment
    •     SOC Model Evaluation
    •     SOC Gap Analysis
    •     SIEM Gap Analysis
    •     SIEM Optimization
    •     SOC Content Pack
  • Train
    • Security Awareness and Training
    • Tabletop Exercise
    • Simulated Cyber Attack Exercises
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
COPYRIGHT © REWTERZ. ALL RIGHTS RESERVED.