Cyber Threat Actor: Pysa
| Actor Type | Location | Known Incidents |
Crime Syndicate
|
Russia
|
19 incidents |
|---|
Profile
The threat actor known as Mespinoza, also tracked as Pysa, is a ransomware group that has been publicly linked to Russia based on location information provided in threat intelligence sources. The actor primarily targets healthcare and education sectors, with a noticeable focus on organizations in the United States while also having conducted operations against entities in South Africa, such as the Nama Khoi Municipality. Their stated objective appears to be financial gain, as they deploy ransomware to encrypt victim data, exfiltrate sensitive information prior to encryption, and then threaten to leak the stolen data on a dark‑web leak site unless a ransom is paid, a tactic commonly described as double extortion. Technical details referenced in the reporting indicate that the group uses the Mespinoza ransomware payload (also referred to as Pysa) and operates under a ransomware‑as‑a‑service model, maintaining a leak site to pressure non‑paying victims.
Publicly reported incidents illustrate the group’s pattern of activity. In September 2021, Pysa claimed responsibility for a ransomware attack on a Las Vegas cancer center that compromised the personal and medical data of approximately 3,000 patients. In May 2021, the group attacked Consolidated High School District 230, leading to data exfiltration and disruption of school operations. An April 2021 incident at One Community Health resulted in the exfiltration of patient Social Security numbers, medical records and insurance information, with the group later posting the data to its leak site. Also in April 2021, a ransomware attack on an Indiana school district forced a shift to e‑learning and culminated in the public release of roughly 40 GB of data after negotiations failed. In November 2020, Overlake Obstetricians & Gynecologists suffered a breach that exposed over 8,900 patient files containing Social Security numbers and medical histories, and the Nama Khoi Municipality in South Africa experienced a ransomware incident where municipal data were leaked without a clear ransom demand being reported. These examples demonstrate the actor’s consistent focus on sectors that hold sensitive personal data and their reliance on data theft coupled with encryption to extort payment.
Attribution beyond the geographic location of Russia is not explicitly stated in the source material; the group is not described as state‑sponsored nor tied to a specific criminal syndicate beyond its self‑identified ransomware‑as‑a‑service structure. The repeated use of the Mespinoza/Pysa ransomware, the pre‑encryption data theft, and the maintenance of a public leak site constitute the core tactics, techniques and procedures that have been observed across the cited campaigns. This combination of ransomware deployment, data exfiltration, and leak‑site pressure defines the actor’s operational profile as documented in the available reporting.
