Prodaft researchers provide extensive analysis of Pysa ransomware hacker group
Cyber threat intelligence firm Prodaft released insights into the operations of the Pysa and Mespinoza ransomware groups, gathering the data by detecting and investigating systems used by the Pysa hackers. The group is a manual ransomware operator that focuses exclusively on high-value targets, such as government agencies, educational institutions, and healthcare. It is known to carefully research high-value targets before launching its attacks, forcing organizations to pay large ransoms to restore their data. As a result, it is listed as one of the most advanced ransomware groups that carry out its operations off the radar.
“We started investigating Pysa group around September 2020. Our analysis lasted for 16-months to identify every possible detail of the infrastructure used by the group. Pysa servers were taken offline around Jan-Feb 2022,” Prodaft wrote in its analysis report of the group. Both Pysa and Mespinoza first appeared in late 2019. However, Pysa appears to be the successor to Mespinoza and benefits from a professional development cycle that provides the group with new functionalities regularly, the report added.
Since September 2020, the Pysa team exfiltrated the data from 747 victims to the management panel, according to Prodaft. December 2020 and June 2021 were the most active months, with approximately 90 victims each month. The victim count remained elevated after June 2021, only trailing off at the end of the year. The uptick in activity may coincide with the Pysa team’s development cycle initiatives for enabling full-text search and other useful features. It’s plausible that Pysa’s leaders thought this functionality would give it a competitive edge in the cybercrime marketplace by making it easier for affiliates to operate large-scale attack campaigns, according to the analysis report.
“Pysa released the confidential files of 309 victims in their public leak server, and we detected 747 victims in their management panel,” Prodaft said. “According to the findings, we can roughly calculate the success (ransom/payment) ratio of the ransomware gang, which is around 58%. Notwithstanding, the ratio raises intriguing questions regarding the nature and extent of the cybercriminal’s motivations. Further studies, which take these variables into account, will need to be undertaken,” it added.
Despite a generally competent development approach, the group made operational security mistakes that exposed some infrastructure elements to the company’s threat intelligence team, which was capitalized to research the group and publish highly sensitive data on their technologies and internal operations.
The Pysa team deploys and manages several dockerized containers to scale their infrastructure, including public leak servers, databases, and management servers. These containers are connected via internal networking on the same dedicated server, Prodaft said. “Since December 2021, they have been deploying new management servers in order to address scalability issues. Under this system, each threat actor is assigned a different management server. The team uses external work queues like Amazon Simple Queue Service (SQS) to manage the workflow assigned to each individual. Simple deployment scripts have been observed, allowing threat actors to deploy new management panels instantly,” it added.
Prodaft said it is surprising that the Pysa team utilized Amazon S3 cloud infrastructure to store their encrypted files. “The group’s Amazon account was created on 18.09.2020 and the bucket dates to 21.09.2020. This bucket contains 31.47TB of encrypted data belonging to victims. The system performs stream encryption and decryption services on the Amazon S3 cloud whenever someone requests a file belonging to a victim. This request is made through a hidden onion server using a FileVault package,” the analysis added.
After ransom negotiations finish, many victims request proof of file deletion, Prodaft observed. “Pysa can automatically generate a GIF animation file that shows the stolen file paths being deleted. Once the ransom is paid, Pysa threat actors generate this animation and send it to victims along with the decryption software,” it added.
Prodaft said that it is an illusion despite the obvious reassurance the GIF offers to victims. “The Pysa team cannot delete the stolen files as shown in the animation. The Pysa team is free to use and reuse victim’s data as often as it feels necessary, and can even retarget victims using the data it claims to have deleted. This is important because Pysa is known to use double extortion tactics against victims,” it added.
The firm also identified that the Pysa team uses SMB links in their system to exfiltrate victim data from internal networks. “While most links are proxy or relay servers, some point directly to the victim’s infrastructure. Upon filling the expected inputs, the system executes asynchronous tasks to pull files from the link using the SMB protocol. The project ID field represents the victim’s unique ID, which is set manually by attackers. The team also uses a token value to authorize its affiliates. These function in a way similar to conventional API authorization keys,” the analysis added.
Prodaft identified 11 active users representing individual threat actors with different privilege levels in the management system. Each one is responsible only for its victims (so-called projects), and only admin users can access another user’s content. “On the other hand, we detected the Faker 5 library in the source code, which can produce fake email addresses. As a result, we are highly skeptical of the validity of the email addresses provided. We do not have further evidence suggesting that these email addresses belong to real accounts,” it added.
The report also provided a technical analysis of Pysa’s ransomware encryption and decryption executables.
Prodaft concluded that Pysa is capable of highly destructive ransomware attacks on critical infrastructure organizations, using a ‘big game hunting’ approach to extort large enterprises into paying immense ransom quickly. The PTI Team’s research offers a rare glimpse at how the group’s techniques, tactics, and procedures enable it to achieve its goals. More importantly, the gang does not delete the files even after receiving ransom money.
Unlike highly automated threats that target huge numbers of victims simultaneously, Pysa is a highly manual ransomware operator that focuses exclusively on high-value targets, the firm said. The group’s development cycle greatly prizes automation and workflow efficiency and has actively invested in improving its capabilities.
“Its development team even created user-friendly tools like a full-text search engine to facilitate highly scalable automated workflows,” according to Prodaft. “Most ransomware gangs like Pysa use a double-extortion technique against their victims, and the victim’s data is both exfiltrated and encrypted. Almost 58% of the Pysa victims paid the ransom, which presents the danger of this common technique,” it added.
In January, the U.S. Department of Health & Human Services’ Health Sector Cybersecurity Coordination Center (HC3) warned the healthcare and public health sector organizations of the ‘Mespinoza’ cybercriminal group, which is also known as Gold Burlap and Cyborg Spider. The group is said to operate Pysa ransomware, among other cyber weapons, and has been active since 2018, with a history of targeting many industries, including healthcare, and continues to develop its capabilities and increase targeting frequency.
Last March, the Federal Bureau of Investigation (FBI) issued a FLASH warning that FBI reporting indicated an increase in Pysa ransomware targeting education institutions in 12 U.S. states and the U.K. The agency said that the Pysa malware was capable of exfiltrating data and encrypting users’ critical files and data stored on their systems.
Related
