The PYSA ransomware operation has been examined for 18 months and revealed that the cybercrime cartel adopted five stages of software development to increase the efficiency of its workflows.
A convenient user-friendly tool like a full-text search engine made it easier for threat actors to extract metadata and find and access victim information quickly.
PRODAFT said in an exhaustive report published last week that the group carefully researches high-value targets before attacking them, compromising enterprise systems and forcing organizations to pay large ransoms to retrieve their data.
Known as “Protect Your System, Amigo”, PYSA, a successor to the Mespinoza ransomware, was first observed in December 2019 and appeared to be the third most prevalent ransomware strain during the fourth quarter of 2021.
The cybercriminal gang allegedly exfiltrated sensitive information belonging to 747 victims between September 2020 and January 2019 until its servers were taken offline.
Most of its victims are located in the U.S. and Europe, with the group primarily striking government, healthcare, and educational sectors. “The U.S. was the most-impacted country, accounting for 59.2% of all PYSA events reported, followed by the U.K. at 13.1%,” Intel 471 noted in an analysis of ransomware attacks recorded from October to December 2021.
PYSA, like other ransomware families, is known to follow the “big game hunting” approach of double extortion, which involves publicizing the stolen information should a victim refuse to comply with the group’s demands.
Every eligible file is encrypted and given a “.pysa” extension, decoding which requires the RSA private key that can only be obtained after paying the ransom. Almost 58% of the PYSA victims are said to have made digital payments.
PRODAFT, which was able to locate a publicly available .git folder managed by PYSA operators, identified one of the project’s authors as “firstname.lastname@example.org,” a threat actor who is believed to be located in a country that observes daylight savings time based on the commit history.
At least 11 accounts, a majority of which were created on January 8, 2021, are said to be in charge of the overall operation, the investigation has revealed. That said, four of these accounts — named t1, t3, t4, and t5 — account for over 90% of activity on the group’s management panel.
Other operational security mistakes made by the group’s members also made it possible to identify a hidden service running on the TOR anonymity network — a hosting provider (Snel.com B.V.) located in the Netherlands — offering a glimpse into the actor’s tactics.
PYSA’s infrastructure also consists of dockerized containers, including public leak servers, database, and management servers, as well as an Amazon S3 cloud to store the encrypted files, which amount to a massive 31.47TB.
Also put to use is a custom leak management panel to search confidential documents in the files exfiltrated from victims’ internal networks prior to encryption. Besides using the Git version control system to manage the development processes, the panel itself is coded in PHP 7.3.12 using the Laravel framework.
What’s more, the management panel exposes a variety of API endpoints that enables the system to list files, download files, and analyze the files for full-text search, which is designed to categorize the stolen victim information into broad categories for easy retrieval.
“The group is supported by competent developers who apply modern operational paradigms to the group’s development cycle,” the researcher said. “It suggests a professional environment with well-organized division of responsibilities, rather than a loose network of semi-autonomous threat actors.”
If anything, the findings are yet another indicator that ransomware gangs like PYSA and Conti operate and are structured like legitimate software companies, even including an HR department to recruit new hires and an “employee of the month” award for tackling challenging problems.
The disclosure also comes as a report from cybersecurity company Sophos found that two or more threat actor groups spent at least five months within the network of an unnamed regional U.S. government agency before deploying a LockBit ransomware payload at the start of the year.
Some sections of this post are sourced from: thehackernews.com