A PowerShell script has disclosed what type of data is stolen in the operations of the Pysa ransomware group. This script is created to scan drives for data folders that match specific keywords to steal data.
The keywords listing technique
According to MalwareHunterTeam, there is a list of 123 keywords that has become a cause of concern for security professionals.
The list gives an idea about what kind of organization could be on the target of the attackers for what type of data and vice versa.
The Powershell script looks for files related to financial firms or personal details, such as login credentials, audit, tax forms, social security numbers, SEC filings, banking, and student information.
Some of the keywords are aimed at stealing data from folders related to investigations, crime, fraud, federal, hidden, bureau, illegal, terror, and secret.
Additionally, attackers could also perform a manual sweep of data.
Conti group follows suit
Pysa ransomware is not the only one looking for some specific files after infiltrating a network. There is another prominent ransomware, Conti, which was discovered using specific keywords to search for targeted files.
A month ago, a Conti partner had leaked the training material for the ransomware operation. It revealed that some specific keywords are being used to steal certain types of data.
Some of these keywords are identified as cyber, policy, insurance, endorsement, supplementary, underwriting, terms, bank, 2020, 2021, statement. When files related to these keywords are discovered, they are uploaded to the Mega file hosting service.
Using specific keywords to identify certain data shows how threat actors have evolved their techniques is when it comes to data theft attacks. As a countermeasure, organizations can attempt to modify folder names to avoid the keyword mentioned in the list. Furthermore, organizations should apply adequate security measures to protect their sensitive data and consider taking a backup to mitigate damages.