Pysa
Associated Software Descriptions
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1036 | .005 | 伪装: Match Legitimate Name or Location |
Pysa has executed a malicious executable by naming it svchost.exe.[1] |
| Enterprise | T1112 | 修改注册表 |
Pysa has modified the registry key "SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" and added the ransom note.[1] |
|
| Enterprise | T1059 | .001 | 命令与脚本解释器: PowerShell |
Pysa has used Powershell scripts to deploy its ransomware.[1] |
| .006 | 命令与脚本解释器: Python | |||
| Enterprise | T1562 | .001 | 妨碍防御: Disable or Modify Tools |
Pysa has the capability to stop antivirus services and disable Windows Defender.[1] |
| Enterprise | T1003 | .001 | 操作系统凭证转储: LSASS Memory | |
| Enterprise | T1486 | 数据加密以实现影响 |
Pysa has used RSA and AES-CBC encryption algorithm to encrypt a list of targeted file extensions.[1] |
|
| Enterprise | T1110 | 暴力破解 |
Pysa has used brute force attempts against a central management console, as well as some Active Directory accounts.[1] |
|
| Enterprise | T1489 | 服务停止 | ||
| Enterprise | T1552 | .001 | 未加密凭证: Credentials In Files |
Pysa has extracted credentials from the password database before encrypting the files.[1] |
| Enterprise | T1070 | .004 | 移除指标: File Deletion | |
| Enterprise | T1490 | 系统恢复抑制 | ||
| Enterprise | T1569 | .002 | 系统服务: Service Execution | |
| Enterprise | T1016 | 系统网络配置发现 |
Pysa can perform network reconnaissance using the Advanced IP Scanner tool.[1] |
|
| Enterprise | T1046 | 网络服务发现 |
Pysa can perform network reconnaissance using the Advanced Port Scanner tool.[1] |
|
| Enterprise | T1021 | .001 | 远程服务: Remote Desktop Protocol | |