An 18-month analysis of the PYSA ransomware operation has revealed that as of August 2020, the cybercrime cartel followed a five-stage software development cycle, with malware authors prioritizing features to improve the efficiency of its workflows.
This included an easy-to-use tool, such as a full-text search engine, to facilitate metadata extraction and allow attackers to quickly find and access victim information.
“The group is known for carefully examining high-value targets before launching their attacks, compromising corporate systems and forcing companies to pay hefty ransoms to recover their data,” Swiss cybersecurity firm PRODAFT said in a detailed report released last week has been published.
PYSA, short for “Protect Your System, Amigo” and a successor to the Mespinoza ransomware, was first observed in December 2019 and has emerged as the third most common ransomware strain detected in the fourth quarter of 2021.
Since September 2020, the cybercriminal gang is said to have exfiltrated sensitive information from up to 747 victims until their servers were taken offline in early January this year.
Most of its victims are located in the US and Europe, with the group primarily hitting the government, healthcare and education sectors. “The US was the hardest hit country with 59.2% of all reported PYSA incidents, followed by the UK with 13.1%,” Intel 471 noted in an analysis of ransomware attacks recorded from October to December 2021.
PYSA, like other ransomware families, is known for adopting the “big game hunting” double-ransom approach, releasing the stolen information if a victim refuses to comply with the group’s demands.
Each legitimate file is encrypted and appended with the “.pysa” extension, which requires the RSA private key for decryption, which can only be obtained after paying the ransom. Almost 58% of the PYSA victims are said to have paid digitally.
PRODAFT, which was able to locate a publicly accessible .git folder maintained by PYSA operators, identified one of the project’s authors as “firstname.lastname@example.org”, a threat actor believed to be it is in a country with daylight saving time based on the commit history.
At least 11 accounts, most of which were created on Jan. 8, 2021, are said to be responsible for the overall operation, the investigation has found. However, four of these accounts — named t1, t3, t4, and t5 — account for over 90% of activity on the group’s management panel.
Other operational security mistakes committed by the group’s members also made it possible to identify a hidden service running on the TOR anonymity network – a hosting provider (Snel.com BV) based in the Netherlands – that could provide insight into the player’s tactics.
PYSA’s infrastructure also consists of dockerized containers, including public leak servers, database and management servers, and an Amazon S3 cloud for storing the encrypted files, totaling a whopping 31.47 TB.
Also, a custom leak management panel is used to search sensitive documents in the files exfiltrated from victims’ internal networks prior to encryption. Besides using the Git version control system to manage the development processes, the panel itself is coded in PHP 7.3.12 using the Laravel framework.
In addition, the management panel exposes a variety of API endpoints that enable the system to list files, download files, and analyze the files for full-text search designed to categorize the stolen victim information into broad categories for easy retrieval.
“The group is supported by competent developers who apply modern operational paradigms to the development cycle of the group,” said the researcher. “It suggests a professional environment with a well-organized division of tasks rather than a loose network of semi-autonomous threat actors.”
If anything, the results are another indicator that ransomware gangs like PYSA and Conti operate and are organized like legitimate software companies, even with a human resources department to recruit new employees and an “Employee of the Month” award for tackling challenging problems.
The disclosure also comes as a report by cybersecurity firm Sophos found that two or more groups of threat actors spent at least five months on the network of an unnamed regional US government agency before deploying a LockBit ransomware payload earlier this year.