Pysa threat actors’ script shows exactly the files they’re after

Lawrence Abrams reports:

A PowerShell script used by the Pysa ransomware operation gives us a sneak peek at the types of data they attempt to steal during a cyberattack.


Yesterday, MalwareHunterTeam shared a PowerShell script with BleepingComputer used by the Pysa ransomware operation to search for and exfiltrate data from a server.

This script is designed to scan each drive for data folders whose names match certain strings on a device. If a folder matches the search criteria, the script will upload the folder’s files to a remote drop server under the threat actor’s control.

Read more on BleepingComputer. Interestingly, the list of keywords does not include the kinds of data we have actually seen Pysa dump — such as patient data or anything medical, or student information, etc.

About the author: Dissent

Comments are closed.