Pysa threat actors’ script shows exactly the files they’re after
Lawrence Abrams reports:
A PowerShell script used by the Pysa ransomware operation gives us a sneak peek at the types of data they attempt to steal during a cyberattack.[…]
Yesterday, MalwareHunterTeam shared a PowerShell script with BleepingComputer used by the Pysa ransomware operation to search for and exfiltrate data from a server.
This script is designed to scan each drive for data folders whose names match certain strings on a device. If a folder matches the search criteria, the script will upload the folder’s files to a remote drop server under the threat actor’s control.
Read more on BleepingComputer. Interestingly, the list of keywords does not include the kinds of data we have actually seen Pysa dump — such as patient data or anything medical, or student information, etc.