• Menu
  • Skip to main content
  • Skip to primary sidebar

The Cyber Security News

Latest Cyber Security News

Header Right

  • Latest News
  • Vulnerabilities
  • Cloud Services
researchers share in depth analysis of pysa ransomware group

Researchers Share In-Depth Analysis of PYSA Ransomware Group

You are here: Home / General Cyber Security News / Researchers Share In-Depth Analysis of PYSA Ransomware Group
April 18, 2022

An 18-month-long analysis of the PYSA ransomware operation has revealed that the cybercrime cartel followed a five-stage software development cycle from August 2020, with the malware authors prioritizing features to improve the efficiency of its workflows.

This included a user-friendly tool like a full-text search engine to facilitate the extraction of metadata and enable the threat actors to find and access victim information quickly.

“The group is known to carefully research high-value targets before launching its attacks, compromising enterprise systems and forcing organizations to pay large ransoms to restore their data,” Swiss cybersecurity company PRODAFT said in an exhaustive report published last week.

✔ Approved Seller From Our Partners
Malwarebytes Premium 2022

Protect yourself against all threads using Malwarebytes. Get Malwarebytes Premium with 60% discount from a Malwarebytes official seller SerialCart® (Limited Offer).

➤ Activate Your Coupon Code


PYSA, short for “Protect Your System, Amigo” and a successor of the Mespinoza ransomware, was first observed in December 2019 and has emerged as the third most prevalent ransomware strain detected during the fourth quarter of 2021.

Since September 2020, the cybercriminal gang is believed to have exfiltrated sensitive information belonging to as many as 747 victims until its servers were taken offline earlier this January.

CyberSecurity

Most of its victims are located in the U.S. and Europe, with the group primarily striking government, healthcare, and educational sectors. “The U.S. was the most-impacted country, accounting for 59.2% of all PYSA events reported, followed by the U.K. at 13.1%,” Intel 471 noted in an analysis of ransomware attacks recorded from October to December 2021.

PYSA, like other ransomware families, is known to follow the “big game hunting” approach of double extortion, which involves publicizing the stolen information should a victim refuse to comply with the group’s demands.

Every eligible file is encrypted and given a “.pysa” extension, decoding which requires the RSA private key that can only be obtained after paying the ransom. Almost 58% of the PYSA victims are said to have made digital payments.

PRODAFT, which was able to locate a publicly available .git folder managed by PYSA operators, identified one of the project’s authors as “[email protected],” a threat actor who is believed to be located in a country that observes daylight savings time based on the commit history.

At least 11 accounts, a majority of which were created on January 8, 2021, are said to be in charge of the overall operation, the investigation has revealed. That said, four of these accounts — named t1, t3, t4, and t5 — account for over 90% of activity on the group’s management panel.

Other operational security mistakes made by the group’s members also made it possible to identify a hidden service running on the TOR anonymity network — a hosting provider (Snel.com B.V.) located in the Netherlands — offering a glimpse into the actor’s tactics.

PYSA’s infrastructure also consists of dockerized containers, including public leak servers, database, and management servers, as well as an Amazon S3 cloud to store the encrypted files, which amount to a massive 31.47TB.

CyberSecurity

Also put to use is a custom leak management panel to search confidential documents in the files exfiltrated from victims’ internal networks prior to encryption. Besides using the Git version control system to manage the development processes, the panel itself is coded in PHP 7.3.12 using the Laravel framework.

What’s more, the management panel exposes a variety of API endpoints that enables the system to list files, download files, and analyze the files for full-text search, which is designed to categorize the stolen victim information into broad categories for easy retrieval.

“The group is supported by competent developers who apply modern operational paradigms to the group’s development cycle,” the researcher said. “It suggests a professional environment with well-organized division of responsibilities, rather than a loose network of semi-autonomous threat actors.”

If anything, the findings are yet another indicator that ransomware gangs like PYSA and Conti operate and are organized like legitimate software companies, even including an HR department to recruit new hires and an “employee of the month” award for tackling challenging problems.

The disclosure also comes as a report from cybersecurity company Sophos found that two or more threat actor groups spent at least five months within the network of an unnamed regional U.S. government agency before deploying a LockBit ransomware payload at the start of the year.

Found this article interesting? Follow THN on Facebook, Twitter  and LinkedIn to read more exclusive content we post.


Some parts of this article are sourced from:
thehackernews.com

Previous Post: «benchmarking linux security – latest research findings Benchmarking Linux Security – Latest Research Findings
Next Post: Cyberattackers Put the Pedal to the Medal: Podcast cyberattackers put the pedal to the medal: podcast»

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

Report This Article

Recent Posts

  • UK’s Most Innovative Cyber SME 2022 Finalists Announced
  • Mark Zuckerberg Sued Over Cambridge Analytica Data Breach
  • Yes, Containers Are Terrific, But Watch the Security Risks
  • Snake Keylogger Spreads Through Malicious PDFs
  • Fronton: Russian IoT Botnet Designed to Run Social Media Disinformation Campaigns
  • Ransomware Hackers Steal Personal Data of 500,000 Students and Staff in Chicago
  • PayPal Pays a Hacker $200,000 for Discovering ‘One-Click-Hack’ Vulnerability
  • Anonymous Declares Cyber-War on Pro-Russian Hacker Gang Killnet
  • Chinese “Twisted Panda” Hackers Caught Spying on Russian Defense Institutes
  • Why don’t we ever hear about ransomware demands in the tens of millions of dollars?

Copyright © TheCyberSecurity.News, All Rights Reserved.