Threat Actor Profile
High Cybercriminal
Description

Mespinosa is a ransomware which encrypts file using an asymmetric encryption and adds .pysa as file extension. According to dissectingmalware the extension "pysa" is probably derived from the Zanzibari Coin with the same name.

Confidence Score
100%
Tags
ransomware ransomware.live
First Seen

Unknown

Last Updated

Unknown

Active Status
Active
Created

April 29, 2026

Indicators of Compromise

Loading IOCs…

IOC KQL for Sentinel
STIX Data 
{'added_date': None,
 'client': '2003264@sit.singaporetech.edu.sg',
 'description': 'Mespinosa is a ransomware which encrypts file using an '
                'asymmetric encryption and adds .pysa as file extension. '
                'According to dissectingmalware the extension "pysa" is '
                'probably derived from the Zanzibari Coin with the same name.',
 'firstseen': '2020-07-01T00:00:00+00:00',
 'group': 'pysa',
 'has_negotiations': False,
 'has_ransomnote': False,
 'lastseen': '2022-09-20T01:44:05.209440+00:00',
 'locations': [{'available': False,
                'fqdn': 'pysa2bitc5ldeyfak4seeruqymqs4sj5wt5qkcq7aoyg4h2acqieywad.onion',
                'slug': 'http://pysa2bitc5ldeyfak4seeruqymqs4sj5wt5qkcq7aoyg4h2acqieywad.onion/partners.html',
                'title': "Pysa's Partners",
                'type': 'DLS'}],
 'negotiation_count': 0,
 'ransomnotes_count': 0,
 'tiaras_metadata': {'has_negotiations': False,
                     'has_ransomnote': False,
                     'locations': [{'available': False,
                                    'fqdn': 'pysa2bitc5ldeyfak4seeruqymqs4sj5wt5qkcq7aoyg4h2acqieywad.onion',
                                    'slug': 'http://pysa2bitc5ldeyfak4seeruqymqs4sj5wt5qkcq7aoyg4h2acqieywad.onion/partners.html',
                                    'title': "Pysa's Partners",
                                    'type': 'DLS'}],
                     'negotiation_count': 0,
                     'ransomnotes_count': 0,
                     'ransomware_live_group': 'pysa',
                     'tools': {'CredentialTheft': ['Mimikatz',
                                                   'ProcDump',
                                                   'SessionGopher'],
                               'DefenseEvasion': [],
                               'DiscoveryEnum': ['ADRecon',
                                                 'Advanced IP Scanner',
                                                 'Advanced Port Scanner'],
                               'Exfiltration': ['FileZilla', 'WinSCP'],
                               'LOLBAS': ['PsExec', 'WMIC'],
                               'Networking': [],
                               'Offsec': ['Chashell',
                                          'Koadic',
                                          'PowerShell Empire',
                                          'PowerSploit'],
                               'RMM-Tools': []},
                     'url': 'https://www.ransomware.live/group/pysa',
                     'victims': 309,
                     'vulnerabilities': []},
 'tiaras_source': 'ransomware.live',
 'tools': {'CredentialTheft': ['Mimikatz', 'ProcDump', 'SessionGopher'],
           'DefenseEvasion': [],
           'DiscoveryEnum': ['ADRecon',
                             'Advanced IP Scanner',
                             'Advanced Port Scanner'],
           'Exfiltration': ['FileZilla', 'WinSCP'],
           'LOLBAS': ['PsExec', 'WMIC'],
           'Networking': [],
           'Offsec': ['Chashell', 'Koadic', 'PowerShell Empire', 'PowerSploit'],
           'RMM-Tools': []},
 'ttps': [],
 'url': 'https://www.ransomware.live/group/pysa',
 'victims': 309,
 'vulnerabilities': []}
Quick Actions
Back to Threat Actors
Dashboard Home