An 18-month-long analysis of the PYSA ransomware operation has revealed that the cybercrime cartel followed a five-stage software development cycle from August 2020, with the malware authors prioritizing features to improve the efficiency of its workflows.
This included an user-friendly tool such as a full text search engine that extracts metadata to aid threat actors in quickly finding victim information.
“The group is known to carefully research high-value targets before launching its attacks, compromising enterprise systems and forcing organizations to pay large ransoms to restore their data,” Swiss cybersecurity company PRODAFT said in an exhaustive report published last week.
PYSA, short for “Protect Your System, Amigo” and a successor of the Mespinoza ransomware, was first observed in December 2019 and has emerged as the third most prevalent ransomware strain detected during the fourth quarter of 2021.
Since September 2020, the cybercriminal gang is believed to have exfiltrated sensitive information belonging to as many as 747 victims until its servers were taken offline earlier this January.
Most of its victims are located in the U.S. and Europe, with the group primarily striking government, healthcare, and educational sectors. “The U.S. was the most-impacted country, accounting for 59. 2% of all PYSA events reported, followed by the U.K. at 13. 1%,” Intel 471 noted in an analysis of ransomware attacks recorded from October to December 2021.
PYSA is like many ransomware families. It follows the double extortion approach, or “big game hunting”, which requires victims to publish the stolen information if they refuse to comply.
Every eligible file is encrypted and given a “.pysa” extension, decoding which requires the RSA private key that can only be obtained after paying the ransom. Almost 58% of the PYSA victims are said to have made digital payments.
PRODAFT was able locate the.git file managed by PYSA users and identified the author as “dodo@mail.pcc,” which is a threat actor believed to have been located in a country with daylight savings. Based on commit history, PRODAFT also found the folder.
At least 11 accounts, a majority of which were created on January 8, 2021, are said to be in charge of the overall operation, the investigation has revealed. That said, four of these accounts — named t1, t3, t4, and t5 — account for over 90% of activity on the group’s management panel.
Other security errors made by members of the group made it possible for us to discover a secret service on the Tor anonymity network. This hidden service (Snel.com B.V. hosting provider) is located in the Netherlands and offers a peek into the actors’ tactics.
PYSA’s infrastructure also consists of dockerized containers, including public leak servers, database, and management servers, as well as an Amazon S3 cloud to store the encrypted files, which amount to a massive 31.47TB.
Also put to use is a custom leak management panel to search confidential documents in the files exfiltrated from victims’ internal networks prior to encryption. Besides using the Git version control system to manage the development processes, the panel itself is coded in PHP 7.3. 12 using the Laravel framework.
The management panel also exposes various API endpoints which allow the system to download and list files. This allows the system to perform full-text searches. It is intended to classify the victim information in broad categories that can be easily retrieved.
” The group has competent developers that apply modern operational paradigms during its development cycle,” said the researcher. It suggests that there is a structured professional environment, with well-structured divisions of responsibilities and not a loose network semi-autonomous threat agents. “
If anything, the findings are yet another indicator that ransomware gangs like PYSA and Conti operate and are organized like legitimate software companies, even including an HR department to recruit new hires and an “employee of the month” award for tackling challenging problems.
The disclosure also comes as a report from cybersecurity company Sophos found that two or more threat actor groups spent at least five months within the network of an unnamed regional U.S. government agency before deploying a LockBit ransomware payload at the start of the year.
