Pysa threat actors’ script shows exactly the files they’re after

Lawrence Abrams reports:

A PowerShell script used by the Pysa ransomware operation gives us a sneak peek at the types of data they attempt to steal during a cyberattack.

[…]

Yesterday, MalwareHunterTeam shared a PowerShell script with BleepingComputer used by the Pysa ransomware operation to search for and exfiltrate data from a server.

This script is designed to scan each drive for data folders whose names match certain strings on a device. If a folder matches the search criteria, the script will upload the folder’s files to a remote drop server under the threat actor’s control.

Read more on BleepingComputer. Interestingly, the list of keywords does not include the kinds of data we have actually seen Pysa dump — such as patient data or anything medical, or student information, etc.

Legal Silence and Chilling Effects: Injunctions Against the Press in Cybersecurity
#StopRansomware: Interlock
Two more entities have folded after ransomware attacks
British institutions to be banned from paying ransoms to Russian hackers
Authorities released free decryptor for Phobos and 8base ransomware
North Country Healthcare responds to Stormous's claims of a breach

Related: