PYSA ransomware and how to protect against it

| By:
Bryson Medlock

PYSA, an acronym for “protect your system amigo,” was one of the largest ransomware groups in the world. PYSA is a variant of the Mespinoza strain of malware that has been commonly leveraged in high-paying assaults—where attackers select victims based on their ability to pay. 

PYSA ransomware has particularly targeted higher education, K-12 schools, and seminaries in the United States and the United Kingdom. The ransomware works by exfiltrating data from victims before encrypting a victim’s system and pressuring the organization into a ransom payment. Even though PYSA is believed to have shut down operations as of January 2022, the hackers from the group are still out in the field, so it’s important to understand this group and its techniques.

For any MSP advising a company on best practices for cybersecurity, understanding the process and protocols will help mitigate and reduce the risk of PYSA and other ransomware threats. Malicious actors behind PYSA, which may not be part of other ransomware groups, are known for their brute force attacks on networks. Keep reading for our top recommendations on keeping your clients secure. 

What is PYSA ransomware?

In late 2019, the first known PYSA ransomware attacks were made against the US and other government entities, educational institutions, private companies, and healthcare organizations.

PYSA ransomware actors typically gained unauthorized access to victim networks by compromising Remote Desktop Protocol (RDP) credentials or by sending phishing emails. Armed with a number of tools, cyber actors then execute commands to deactivate any antivirus software and deploy Mespinoza/PYSA ransomware. 

During the process of exfiltrating files from a victim’s network and then encrypting all devices and data, cyber actors render all information, data, and files inaccessible to users. Once the malware has been deployed, a ransom message would be displayed on the victim’s login or lock screen containing information on how to contact the PYSA actors and pay the ransom.  

Unlike some cybercriminals, PYSA actors used a double-extortion tactic. If a victim refuses to pay for their data to be decrypted for use, the bad actors threaten to either leak the data or sell it for a profit. This adds another layer of complexity for organizations to navigate and consider. 

Notable PYSA ransomware attacks

PYSA ransomware attacks were most common during 2020 and 2021. In 2021, PYSA was the third largest ransomware strain, just behind LockBit 2.0 and Conti. Across all reported PYSA attacks, the most targeted region was North America and the United Kingdom, with the FBI noting that more than 12 educational institutions had been hit by PYSA ransomware attacks.  


In May 2020, an Australian financial services company called MyBudget was attacked by PYSA ransomware and closed for nearly two weeks. Exfiltrated data was leaked on PYSA’s blog and the company later confirmed that the outage was a result of a ransomware attack. 

American School Districts 

Twelve different American public school districts were attacked between October 2020 and May 2021. This included schools in Texas, Illinois, Connecticut, Nebraska, Missouri, and Indiana. Just like the standard PYSA pattern, the cybercriminals encrypted key data and then demanded a ransom payment from the school district.

Hackney Council

In October 2020, a PYSA ransomware attack impacted London’s Hackney Council in the U.K. The outage resulted in the organization being unable to process housing benefit payments—and even causing housing purchases to fall through. Later, data from Hackney Council was published by PYSA, confirming the roots of the attack. 

In the past two years, reports of PYSA ransomware attacks have been less common. Although there is no clear answer, some believe that PYSA ransomware hackers have moved on to other ransomware gangs. Regardless of the prevalence of PYSA attacks at this current moment, understanding the ongoing threat of ransomware is key to protecting your clients. 

Responding to a PYSA ransomware attack

MSPs mainly focus on protocols and policies to mitigate the risk of a PYSA ransomware attack, but knowing the best tactics to respond to a ransomware attack can be a helpful defense. 

When an organization has been compromised, the operators of PYSA ransomware communicated strictly via email. In general, paying the ransom was not encouraged. Although requested, a ransom payment does not guarantee that an organization’s file or data will be recovered and restored. It may also encourage other cybercriminals to target additional organizations and distribute ransomware more freely.

Protecting against PYSA ransomware

Protecting against PYSA ransomware and mitigating any possible damage is critical for an organization’s cybersecurity. Because ransomware is constantly changing, MSPs play an important role in keeping organizations secure. Even with the PYSA group having shut down operations, it’s important to keep this proactive mentality.

If a device on your client’s network becomes infected with PYSA ransomware, or tactics similar to PYSA ransomware, it can impact all remote files on various network locations. To keep your clients protected, follow these tips: 

Keep all software and systems up to date

Ensure that your clients have robust policies in place to keep all software, hardware, and systems up to date. Focus on updates and patches to address any cybersecurity vulnerabilities that may arise. By ensuring that all operating systems and software stay up-to-date, you can reduce the possibility of a cyber actor entering the system. 

Establish a reliable email filtering solution

As mentioned before, phishing emails can lead to ransomware attacks—and without reliable email filtering solutions, many organizations are at risk. Companies of all sizes should leverage email authentication and filtering techniques to effectively detect email spoofing, identify any suspicious emails, and help users flag what is a potential risk.  

Implement a reliable endpoint monitoring plan

Without proper and reliable endpoint monitoring and protection, ransomware cybercriminals can identify weaknesses and target a network. Endpoint protection and asset discovery empower companies to track new devices and monitor existing assets to ensure cybersecurity. Threat hunting is also a valuable practice to identify potential threats proactively.

Strengthening an organization’s overall network—from servers to applications—will help reduce the potential for a PYSA ransomware attack or PYSA-style attack. Endpoint security and monitoring help both MSPs and internal IT teams with clear insights to prevent suspicious activity. For the most effective experience, organizations should leverage a comprehensive EDR solution that includes a security operations center (SOC) for 24/7 monitoring and response.  

Educate clients on best user practices and restrict user privileges

Educating your clients on the best practices to minimize ransomware risk is critical. Start by teaching employees fundamental cybersecurity protocols and best practices and collaborating with your client to help them start or strengthen cybersecurity awareness training. 

In addition, incorporate multi-factor authentication (MFA) to provide an extra layer of security and prevent unauthorized access from an organization’s network.  

Leverage a robust general cybersecurity solution

A robust cybersecurity solution should empower MSPs with the resources, information, and software needed to stay ahead of the evolving threat landscape. These tools are essential to preventing and mitigating PYSA and other ransomware threats.

From EDR to vulnerability management, ConnectWise offers a suite of cybersecurity management software and support solutions to help protect your clients’ most critical assets. Explore our cybersecurity demos and trials to see firsthand how the right solution can help uplevel your cybersecurity offerings.


Although specific numbers on PYSA ransomware demands are unclear, the average ransom demand in 2021 was $247,000—a 45% increase since 2020—and the most aggressive ransomware strains include LockBit, Conti, and PYSA.

Examples of a PYSA indicator of compromise (IOC) typically include a PYSA ransom message displayed on the victim’s login or lock screen. It will often spell out “Protect Your System Amigo” and contain specific details on how to contact the PYSA actors to pay the ransom.

It depends. In some scenarios, cybercriminals often have one-of-a-kind tools to decrypt files that were encrypted by their own ransomware. 

No, the FBI advises businesses against paying the PYSA ransom. In many scenarios, a ransom payment does not guarantee that an organization’s file or data will be recovered and restored. It may also encourage other cybercriminals to target additional organizations and distribute ransomware more freely.

Organizations should partner with an MSP to strengthen their cybersecurity programs and leverage tools, such as endpoint protection and monitoring, email filtering software, best user practices, and up-to-date patches. 

Yes. Historically, PYSA ransomware has targeted companies and businesses in higher education, K-12 schools, seminaries, and healthcare institutions. Businesses have been impacted in both the United States and the United Kingdom. 

Antivirus software can help detect suspicious activity and alert IT teams and MSPs to potential concerns. This can enable them to act swiftly and reduce negative impact. However, antivirus software cannot block attacks once they’ve begun.

No. But if you were the victim of a Mespinoza/PYSA ransomware attack, the FBI encourages ransomware reports to your local FBI field office or the FBI’s Internet Crime Complaint Center (IC3). This provides the FBI with helpful information to prevent future attacks.