Pysa ransomware script sheds light on data that hackers are interested in

by Emma Davis
August 25, 2021
data hackers are interested in
Written by Emma Davis

The researchers had at their disposal a PowerShell script used by the operators of the ransomware Pysa, and the experts were able to assess what data hackers are interested in and are trying to steal during attacks.

Typically, ransomware operators infiltrate the target network and start with limited access to one device. They then use various tools and exploits to steal other credentials used in the Windows domain or gain elevated privileges.

After gaining access to a Windows domain controller, they search for and steal various information from the victim’s network before encrypting the devices.

Bleeping Computer journalists write that the other day MalwareHunterTeam specialists shared with them a script that the Pysa ransomware operators use to find and steal data from the attacked server.

The script is designed to scan each drive looking for data folders that match specific strings. If the folder matches the search criteria, the script will upload the files to a remote server controlled by the attackers.

Of particular interest to researchers were 123 keywords that the script will target in its searches, and which provide insight into what hackers find valuable.the journalists say.

As can be expected, the script looks for files associated with a company’s financial or personal information, including audit and banking information, credentials, tax forms, social security numbers, and SEC documents. It also searches for other keywords, including crime, investigation, fraud, bureau, federal, hidden, secret, illegal, terror (terror). The complete list can be seen below.

data hackers are interested in
The publication reminds that recently a disgruntled partner of the group shed light on the work of another ransomware, Conti. The docs tell you how to access someone else’s network, side-move, expand access, and then steal data before encrypting it.

After gaining control of a Windows domain controller, the grouping partners were prompted to search for the following keywords, according to his published data:

  • Cyber;
  • Policy;
  • Insurance;
  • Endorsement;
  • Supplementary;
  • Underwriting;
  • Terms;
  • Bank;
  • 2020;
  • 2021;
  • Statement.

Let me remind you that we talked about the fact that Conti ransomware attacks Ireland’s Health Service Executive.

Sending
User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

About the author

Emma Davis

I'm writer and content manager (a short time ago completed a bachelor degree in Marketing from the Gustavus Adolphus College). For now, I have a deep drive to study cyber security.

View all posts

Leave a Reply

Sending