Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label PRODAFT. Show all posts

PYSA Ransomware Group: Experts Share In-Depth Details

 

Since August 2020, the cybercrime group adopted a five-stage system design, with the malware developers prioritizing enhancements to boost the efficiency of its activities, according to an 18-month examination of the PYSA ransomware operation. The GSOC explores the PYSA ransomware inside this Threat Analysis Report. Once the Federal Bureau of Investigation (FBI) informed of the ransomware's increased activity and significant harmful impact early this year, it became known as the PYSA ransomware. 

This includes a user-friendly tool, such as a full-text search engine, to make metadata extraction easier and allow threat actors to easily locate and access victim information. "The group is notorious for thoroughly researching high-value targets before unleashing its operations, compromising business systems, and forcing researchers to pay significant ransoms to retrieve sensitive data," stated PRODAFT, a Swiss cybersecurity firm, in a comprehensive report released last week. 

PYSA, which stands for "Protect Your System, Amigo" and is a descendant of the Mespinoza ransomware, was initially discovered in December 2019 and has since risen to become the third most common ransomware strain reported in the fourth quarter of 2021. The cybercriminal cell is thought to have exfiltrated confidential info linked to as many as 747 individuals since September 2020, until its databases were taken down earlier this January. 

The majority of its victims are in the United States and Europe, and the gang primarily targets the federal, medical, and educational sectors. "The United States was the most-affected country, contributing for 59.2 percent of all PYSA occurrences documented," Intel 471 stated in a review of ransomware assaults observed from October to December 2021. PYSA, like all other malware attacks, is renowned for using the "big game hunting" method of double ransom, which involves making the stolen data public if the victim refuses to comply with the firm's demands. 

Every relevant key is encrypted and assigned the ".pysa" extension, which can only be decoded with the RSA private key given after paying the fee. PYSA victims are claimed to have paid about 58 percent in digital payments to get access to protected data. PRODAFT was able to find a publicly accessible. git folder owned by PYSA operators and designated one of the project's writers as "dodo@mail.pcc," a danger actor based on the commit history thought to be situated in a country that observes daylight savings time.

As per the study, at least 11 accounts are in control of the whole operation, the mass of which was formed on January 8, 2021. However, four of these accounts — t1, t3, t4, and t5 — account for approximately 90% of activity on the management panel of the company. Other operational security failures committed by the group's members allowed a concealed system running on the TOR secrecy network — a server provider (Snel.com B.V.) based in the Netherlands — to be identified, providing insight into the actor's techniques. PYSA's infrastructure also includes dockerized containers for global leak servers, database servers, administrative servers, and an Amazon S3 cloud for storing the files, which total 31.47TB.

The panel is written in PHP 7.3.12 by using the Laravel framework and uses the Git version monitoring system to oversee the development process. Furthermore, the admin panel exposes several API endpoints that allow the system to display files, auto-generate GIFs, and scan data, which is used to group stolen victim data into broad categories for simple retrieval. Several or more potential threat groups spent nearly five months within the system of an undisclosed regional US government agency before delivering the LockBit ransomware malware at the start of the year, as per research from cybersecurity firm Sophos.

PRODAFT Accessed Servers of a SolarWinds Hacker

 

A Swiss cybersecurity firm says it has accessed servers utilized by a hacking group attached to the SolarWinds breach, uncovering details concerning who the attackers targeted and how they did their operation. The firm, PRODAFT, likewise said the hackers have proceeded with their campaign as the month progressed. 
PRODAFT, Proactive Defense Against Future Threats, is a cybersecurity and cyber intelligence organization providing solutions for business clients and government establishments.

PRODAFT researchers said they were able to break into the hackers' computer infrastructure and audit-proof of an enormous campaign between August and March, which targeted a great many organizations and government associations across Europe and the U.S. The point of the hacking group, named SilverFish by the researchers, was to keep an eye on victims and steal information, as per PRODAFT's report. SilverFish did an “extremely sophisticated” cyber-attack on at least 4,720 targets, including government organizations, worldwide IT providers, many banking establishments in the U.S. and EU, major auditing firms, one of the world's leading Covid-19 test kit makers, and aviation and defense companies, as per the report. 

SilverFish is centered around network reconnaissance and information exfiltration and utilizes an assortment of software and scripts for both initial and post-exploitation activities. These incorporate promptly accessible tools like Empire, Cobalt Strike, and Mimikatz, as well as customized rootkits, PowerShell, BAT, and HTA files. Prodaft says that SilverFish attackers tend to follow specific standards of conduct while specifying domains, including running orders to list domain controllers and trusted domains, as well as displaying stored credentials and admin user accounts. 

Scripts are then dispatched for post-exploit reconnaissance and information theft exercises. Hacked, legitimate domains are here and there used to reroute traffic to the C2. "The SilverFish group has designed an unprecedented malware detection sandbox formed by actual enterprise victims which enables the adversaries to test their malicious payloads on victim servers with different enterprise AV and EDR solutions, further expanding the high success rate of the SilverFish group attacks," the company says.

"SilverFish are still using relevant machines for lateral movement stages of their campaigns," the company added. "Unfortunately, despite being large critical infrastructure, most of their targets are unaware of the SilverFish group's presence on their networks."