How can we help?
In the past few weeks, ransomware gangs have had data of their own leaked, giving insight into their operations.
The Conti group had a set of tools and training documents released onto a Russian language forum. This contained information about their processes which can be used by Defenders to help detect their activity.
More recently, security researchers have gotten hold of a PowerShell script belonging to the Pysa group. This script is for initial reconnaissance on victims’ networks and shows the types of data that Pysa is most interested in targeting.
This data can be used to build detections against these groups’ activity.
Indicators of Compromise
The targeting scripts included with both leaks have a focus on financial information. Search terms such as “billing”, “payment” or “payroll” would surface particularly sensitive information that a victim would want to keep private. Otherwise, it could be used for fraud if the victim does not pay the ransom.
The Conti targeting includes insurance and policy documents which suggest they may be particularly interested in companies with cyber insurance as this can be an indicator that a company is more likely to pay out a ransom.