Chris Swagler | May 2nd, 2022

After 18 months of analyzing the PYSA ransomware operation, researchers revealed that the cybercrime cartel follows a five-stage software development cycle process in which the malware authors prioritize features for improving workflow efficiency. This workflow includes user-facing tools and a full-text search engine allowing operators to facilitate the extracting of metadata and quickly access victim’s information. According to a recent cybersecurity report, PYSA ransomware operators are known to research high-value targets carefully before launching attacks, compromising companies’ systems, and forcing them to pay large ransoms in exchange for data restoration.

PYSA, an abbreviation for “Protect Your System, Amigo” and the Mespinoza ransomware group’s successor, was discovered in December 2019 and was the third most prevalent ransomware strain detected during the fourth quarter of 2021. The ransomware group is believed to have exfiltrated sensitive information of 747 victims until its servers were taken offline in January 2022. The group primarily targeted government, healthcare, and educational sectors within the United States and Europe. Like other ransomware families, PYSA is known to utilize the “big game hunting” approach of double extortion, in which threat actors publicize the stolen information if victims refuse to pay the group’s ransom demands.

All eligible files are encrypted and given a “.pysa” extension. Decoding them requires the RSA private key that can be obtained after victims pay the ransom. 58% of PYSA victims made digital payments to recover access to encrypted documents. The cybersecurity researchers located the publicly available .git folder managed by PYSA operators and one of the project’s authors was identified as “[email protected], a threat actor that’s believed to be located in a country that observes daylight savings time based on the commit history.

According to the investigation, 11 accounts oversaw the overall operation and four of the accounts, named t1, t3, t4, and t5, accounted for over 90% of the group’s management panel activities. Other operational security mistakes made by the group’s members allowed a hidden service running on the TOR anonymity network, a hosting provider (Snel.com B.V.) based in the Netherlands, to be identified, providing insight into the actor’s tactics. PYSA’s infrastructure includes dockerized containers for public leak servers, database and management servers, and an Amazon S3 cloud to store the encrypted files totaling 31.47TB.

Additionally, a custom leak management panel is being used to search confidential documents in the files exfiltrated from victims’ internal networks before encryption. The panel is coded in PHP 7.3.12 utilizing the Laravel framework and the Git version control system to oversee the development process. The management panel exposes numerous API endpoints allowing the system to display and download files, auto-generate GIFs, and analyze files for full-text search. The panel is designed to categorize the stolen victims’ information into broad groups for easy retrieval.

According to researchers, the PYSA is supported by skilled developers who apply modern operational concepts to the group’s development cycle. Rather than a loose network of semi-autonomous threat actors, it suggests a professional environment with well-organized responsibilities. The findings are an indication that ransomware groups, like PYSA and Conti, structure operations as legitime software companies, with an HR department to recruit new hires and an “employee of the month” award for tackling difficult challenges.

Understanding the analysis of a ransomware operation and its malicious activities will allow companies to remain ahead of the current threat landscape, regularly update security systems, and have a meticulously developed incident response plan. At SpearTip, our advisory services allow our certified engineers to discover blind spots in companies that can lead to significant compromises. Our engineers go beyond simple compliance frameworks and examine the day-to-day cyber function within companies. Our tabletop exercises are custom designed to strengthen the collaboration among business leaders and promote an understanding of how leadership teams respond to an incident. Furthermore, our ShadowSpear Platform evaluates the current technical controls’ effectiveness allowing the team in our Security Operations Center to hunt and identify advanced ransomware threats like PYSA ransomware and advanced persistent threats (APTs).

If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.