{"group":"pysa","count":1,"rules":[{"rule_name":"pysa.yar","rule_text":"/*\nPYSA / Mespinoza ransomware\n*/\n\nrule PYSA_Ransomnote\n{\n    meta:\n        author = \"ransomware.live\"\n        family = \"ransomware.pysa\"\n        description = \"Detects PYSA / Mespinoza ransom note\"\n        date = \"2026-05-04\"\n        severity = 7\n        score = 70\n\n    strings:\n        $s1 = \"readme.README\" ascii nocase\n        $s2 = \"PYSA\" ascii\n        $s3 = \"camplejohn@tutamail\" ascii nocase\n        $s4 = \"hello@pysa\" ascii nocase\n        $s5 = \".pysa\" ascii\n\n    condition:\n        any of them\n}\n\nrule PYSA_PE\n{\n    meta:\n        author = \"ransomware.live\"\n        family = \"ransomware.pysa\"\n        description = \"Detects PYSA ransomware executable\"\n        date = \"2026-05-04\"\n        severity = 9\n        score = 90\n\n    strings:\n        $s1 = \"PYSA\" ascii wide\n        $s2 = \"Mespinoza\" ascii nocase\n        $s3 = \"readme.README\" ascii\n\n    condition:\n        uint16(0) == 0x5A4D and 2 of them\n}","sha256":"5e21708667cddc5bbbf20414f1c7b0b74d7bfbd7eae089aea60a1b4aa16ac443","byte_size":909,"updated_at":"2026-06-24 05:16:04"}]}