The Pysa ransomware operation’s PowerShell script gives us a sneak peek at the types of data they try to collect during a campaign.
When ransomware gangs infiltrate a network, they usually start with a single device that they have restricted access to.
They then utilize a variety of tools and exploits to steal other Windows domain credentials or get elevated rights on numerous devices.
They seek for and steal data on the network after gaining access to a Windows domain controller before encrypting devices.
This stolen data is used by threat actors in two ways.
The first is to make a ransom demand based on the company’s revenue and whether or not it has insurance. The second strategy is to intimidate the victims into paying a ransom since the gang will expose the information if they don’t.
Scouring for valuable information.
A malware-hunting team recently shared a PowerShell script with an IT publication that was used by the Pysa ransomware operation to find and exfiltrate data from a server.
This script will search each drive for data folders with names that match specific strings on the device. If a folder meets the search parameters, the script will upload the contents of that folder to a remote drop server controlled by the threat actor.
The 123 keywords that the script looks for are particularly interesting since they reveal what the ransomware gang considers valuable.
The script looks for files connected to the company’s finances or personal information, such as audits, banking information, login credentials, tax forms, student information, social security numbers, and SEC filings, as we would expect.
It also scans for files containing the keywords ‘crime,’ ‘investigation,’ ‘fraud,’ ‘bureau,’ ‘federal,’ ‘hidden,’ ‘secret,’ ‘illegal,’ and ‘terror,’ among other keywords that may be extremely devastating to a corporation if released.
The table below contains the whole list of 123 keywords targeted by the threat actors’ script.
| 941 | confident | Info | RRHH |
| 1040 | Crime | insider | saving |
| 1099 | claim | Insurance | scans |
| 8822 | Terror | investigation | sec |
| 9465 | Confidential*Disclosure | IRS | secret |
| 401K | contact | ITIN | security |
| 4506-T | contr | K-1 | studen |
| ABRH | CPF | letter | seed |
| Audit | CRH | List | Signed |
| Addres | Transact | Login | sin |
| agreem | DDRH | soc | |
| Agreement*Disclosure | Demog | NDA | SS# |
| ARH | Detail | Numb | SS-4 |
| Assignment | Disclosure*Agreement | Partn | SSA |
| balanc | Disclosure*Confidential | passport | SSN |
| bank | DRH | passwd | Staf |
| Bank*Statement | emplo | password | statement |
| Benef | Enrol | pay | Statement*Bank |
| billing | federal | payment | SWIFT |
| budget | Finan | payroll | tax |
| bureau | finance | person | Taxpayer |
| Brok | Form | Phone | unclassified |
| card | fraud | privacy | Vend |
| cash | government | privat | W-2 |
| CDA | hidden | pwd | w-4 |
| checking | hir | Recursos*Humanos | W-7 |
| clandestine | HR | report | W-8BEN |
| compilation | Human | Resour | w-9 |
| compromate | i-9 | resurses*human | W-9S |
| concealed | illegal | RHO | |
| confid | important | routing |
It’s pointless to change the names of your folders so that they don’t contain these strings because threat actors will almost certainly undertake manual data sweeps.
Knowing what types of data a ransomware gang is looking for, on the other hand, provides you a realistic view of how ransomware gangs would try to extort their victims.
Pysa isn’t the only one who looks for certain files after breaking into a network.
An enraged Conti affiliate exposed the ransomware operation’s training materials earlier this month.
After gaining access to the Windows domain controller, affiliates were instructed to immediately search for data containing the following keywords, according to this training material.
- cyber
- policy
- insurance
- endorsement
- supplementary
- underwriting
- terms
- bank
- 2020
- 2021
- Statement
Once again, this demonstrates the importance of data theft in a ransomware attack and the importance of appropriately safeguarding it.
To read more, please check eScan Blog
