# PYSA (Mespinoza) In-Depth Analysis


-----

### Contents

**References** **2**

**1** **Introduction** **3**

**2** **Executive Summary** **4**

**3** **Technical Analysis** **5**
3.1 Public Leak Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
3.1.1 Git Repository Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
3.1.2 De-anonymizing TOR Hidden Service . . . . . . . . . . . . . . . . . . . . . . 7
3.2 Leak Management Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
3.2.1 Development Activity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
3.2.2 Source Code Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
3.2.3 Full-text Search Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
3.2.4 Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
3.2.5 Encrypted Cloud Storage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
3.2.6 Auto-GIF Generation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
3.2.7 Data Exfiltration via SMB Links . . . . . . . . . . . . . . . . . . . . . . . . . . 17
3.2.8 Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
3.3 Ransomware Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
3.3.1 Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
3.3.2 Decryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

**4** **Statistics and Observations** **24**
4.1 Victim Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
4.2 Threat Actor Activity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
4.3 Author Profiling and Linguistic Evidence . . . . . . . . . . . . . . . . . . . . . . . . . 25
4.3.1 Grammaticality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
4.3.2 Unnatural Statements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
4.3.3 Syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

**5** **Conclusion** **28**

**6** **IOC** **30**
6.1 Leak Management Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
6.2 Public Leak Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

2 / 32

DISCLAIMER : This document and its contents shall be deemed as proprietary and privileged information of PRODAFT and shall

be subjected to articles and provisions that have been stipulated in the General Data Protection Regulation and Personal

Data Protection Law No. 6698. It shall be noted that PRODAFT provides this information “as is” according to its findings, without

providing any legally applicable warranty regarding completeness or accuracy of the contents Therefore neither this report


-----

|Reference Number|CH-2022041101|
|---|---|
|Prepared By|PTI Team|
|Investigation Date|25.09.2020 - 15.01.2022|
|Initial Report Date|27.09.2020|
|Last Update|11.04.2022|


### 1 Introduction

The group behind PYSA ransomware has earned notoriety for targeting government
agencies, educational institutions, and the healthcare sector. The group is known to
carefully research high-value targets before launching its attacks, compromising enterprise
systems and forcing organizations to pay large ransoms to restore their data. They are listed
as one of the most advanced ransomware groups that carry out their operations off the radar.

The PRODAFT Threat Intelligence team detected and gained visibility into PYSA’s ransomware
infrastructure and analyzed its findings to gain insight into how the criminal operation works.
This report contains some of the latest information on how this destructive cybercriminal
syndicate operates and provides security professionals with crucial insight into detecting
and mitigating the risk of attacks like PYSA’s. It also contains surprising information about the
sophistication of PYSA’s development cycle and its dedication to providing threat actors
with new features and functionalities.

PYSA is a ransomware variant related to the well-known Mespinoza ransomware. Threat
intelligence professionals widely believe that the same group of individuals are behind both
technologies. The PTI team has successfully gained visibility into many parts of the group’s
ransomware infrastructure, including its public leak server and its internal management
panel. These insights will help high-value government, education, and healthcare targets
protect their systems from attacks that rely on PYSA’s techniques and technologies.

We started investigating PYSA group around September 2020. Our analysis lasted for
16-months to identify every possible detail of the infrastructure used by the group. PYSA
servers were taken offline around Jan-Feb 2022. Reports made public by our PTI team go
through careful phases before the release. We are publishing this report only now to support
other critical sectors to prepare for similar attacks in the future and provide insight into the
methods used by the crime gang.


Please note that this report has two versions. The ”Private Release” is provided to
law enforcement agencies, applicable CERTS / CSIRTS, and members of our U.S.T.A.
Threat Intel Platform (with appropriate annotations and reductions). Likewise, the
_”Public Release” is publicly disseminated for the purpose of advancing the global fight_
against high-end threat actors and APTs.


3 / 32

DISCLAIMER : This document and its contents shall be deemed as proprietary and privileged information of PRODAFT and shall

be subjected to articles and provisions that have been stipulated in the General Data Protection Regulation and Personal

Data Protection Law No. 6698. It shall be noted that PRODAFT provides this information “as is” according to its findings, without

providing any legally applicable warranty regarding completeness or accuracy of the contents Therefore neither this report


-----

### 2 Executive Summary

This report contains threat intelligence insight into how the cybercriminal syndicate
behind PYSA and Mespinoza operate. The PRODAFT Threat Intelligence team has gathered
this data by detecting and investigating systems used by PYSA threat actors.

Despite a generally competent development approach, PYSA threat actors made
operational security mistakes that exposed some elements of their infrastructure to our
threat intelligence team. We capitalized on these mistakes to research the group and
publish highly sensitive data on their technologies and internal operations.

Both PYSA and Mespinoza first appeared in late 2019. PYSA appears to be the successor to
Mespinoza, and benefits from a professional development cycle that provides the group
with new functionalities on a regular basis. Our team has identified a five-stage cycle
showcasing PYSA activities starting from August 2020 :


**18.09.2020**

Initial project development.

Amazon account creation.


Stage 1 Stage 3


**2021**

Full-text search capabilities.

SMB Relays / Proxies.
Stream encryption/decryption.


**08.08.2020** Stage 2 **25.09.2020** Stage 4


**13.01.2022**

Last operator activity.

End of development.

Server termination.


Initial commit for public leak site.

Primitive data handling.

External storage.


First production-ready release.

Active development started.


**Figure 1. Timeline of the PYSA’s activity.**

This timeline shows that PYSA threat actors contributed to the development of its capabilities
periodically for nearly two years. Some of the group’s most interesting developments (like
full-text search capabilities) coincide with periods of high-intensity activity when the group
attacked up to 90 different victims per month. This data is shown in greater detail in the
following sections, which break down PYSA’s operations into its technical components and
offer behind-the-scenes insight into how the ransomware group structured its organization.

4 / 32

DISCLAIMER : This document and its contents shall be deemed as proprietary and privileged information of PRODAFT and shall

be subjected to articles and provisions that have been stipulated in the General Data Protection Regulation and Personal

Data Protection Law No. 6698. It shall be noted that PRODAFT provides this information “as is” according to its findings, without

providing any legally applicable warranty regarding completeness or accuracy of the contents Therefore neither this report


-----

### 3 Technical Analysis

This section contains valuable information about the PYSA team’s technical capabilities,
including its public server and management system. The public leak server is responsible
for hosting the victim data PYSA releases when its demands are not met. The notorious
ransomware gang’s management system brings new details on group operations to light.

While the PTI team successfully gained visibility to many parts of PYSA’s infrastructure,
some elements of the group’s operational environment remain hidden. These are excellent
candidates for further research in the threat intelligence community. We encourage other
researchers to follow our tracks and discover more about PYSA’s inner workings. PRODAFT
maintains a CIN [1] program for TI companies to collaborate on complex cases. The details for
the program can be found on our webpage.

#### 3.1 Public Leak Server

If PYSA victims refuse to comply with the group’s demands, the PYSA team publishes
confidential victim data on a public leak server (as shown in Figure 2). PYSA has deployed
several hidden onion services to host this content :

## • [na47pldl5eoqxt42.onion]
 • [wqmfzni2nvbbpk25.onion]
 • [pysa2bitc5ldeyfak4seeruqymqs4sj5wt5qkcq7aoyg4h2acqieywad.onion]

**Figure 2. Public leak server of the PYSA.**

[1. https://www.prodaft.com/partners/cin-network](https://www.prodaft.com/partners/cin-network)

5 / 32

DISCLAIMER : This document and its contents shall be deemed as proprietary and privileged information of PRODAFT and shall

be subjected to articles and provisions that have been stipulated in the General Data Protection Regulation and Personal

Data Protection Law No. 6698. It shall be noted that PRODAFT provides this information “as is” according to its findings, without

providing any legally applicable warranty regarding completeness or accuracy of the contents Therefore neither this report


-----

**3.1.1** **Git Repository Analysis**

One of our investigation’s most important findings is a publicly available .git folder
managed by PYSA operators. This is an obvious operational security mistake that is
nonetheless common among cybercriminals. Our team found sufficient evidence to show
that this public folder is not an intentional decoy, but a genuine tool forgotten by a careless
PYSA team member.

Anyone can access the forgotten Git folder’s URL and extract the files that reside in the
repository to verify our findings. We encourage security researchers to use GitTools [2] or
similar software to access this folder and review the data. The PTI team was also able to
obtain the commit history associated with the author’s account. For the sake of simplicity,
we have arranged this data in Table 1.

**Date** **Author** **Comment**
Sun Dec 27 23:06:01 2020 UTC+1 dodo@mail.pcc timer removed
Sat Dec 26 02:42:20 2020 UTC+1 dodo@mail.pcc added timer
Sat Nov 14 01:41:13 2020 UTC+1 dodo@mail.pcc announement fix
Sat Nov 14 00:37:18 2020 UTC+1 dodo@mail.pcc announcement
Wed Sep 16 13:14:26 2020 UTC+2 dodo@mail.pcc Teka && 2
Sun Sep 13 11:21:32 2020 UTC+2 dodo@mail.pcc Assured - CFC
Fri Sep 11 11:55:37 2020 UTC+2 dodo@mail.pcc Monty-Lindenwold added
Sun Sep 6 00:59:12 2020 UTC+2 dodo@mail.pcc Menu fix
Sat Sep 5 18:11:26 2020 UTC+2 dodo@mail.pcc IVCC, WSMIND, Alliance
Fri Aug 28 15:18:08 2020 UTC+2 dodo@mail.pcc Added Marselle and 2 other;
dates added
Wed Aug 19 16:06:13 2020 UTC+2 dodo@mail.pcc MCLINC and XPress added
Sat Aug 8 10:14:59 2020 UTC+2 dodo@mail.pcc Upload script added
Sat Aug 8 09:56:19 2020 UTC+2 dodo@mail.pcc OrthoAtlanta and Q3 added
Sat Aug 8 09:22:56 2020 UTC+2 root@server.domain.comInitial

**Table 1. Excerpt of commit history extracted from the git repository.**

Upon analysis, the PTI team identified the project author as dodo@mail.pcc. It’s clear
that this user invented an invalid domain name, which probably represents the hostname
assigned to the user’s computer. However, there is additional evidence that provides some
insight into internal PYSA operations.

For example, the time zone automatically changes from UTC+2 to UTC+1 between the 16th
of September and the 14th of November. This correlates to daylight savings time, which
suggests the author is based in a country that observes daylight savings.

[2. https://github.com/internetwache/GitTools](https://github.com/internetwache/GitTools)

6 / 32

DISCLAIMER : This document and its contents shall be deemed as proprietary and privileged information of PRODAFT and shall

be subjected to articles and provisions that have been stipulated in the General Data Protection Regulation and Personal

Data Protection Law No. 6698. It shall be noted that PRODAFT provides this information “as is” according to its findings, without

providing any legally applicable warranty regarding completeness or accuracy of the contents Therefore neither this report

|Date Sun Dec 27 23:06:01 2020 UTC+1|Author dodo@mail.pcc|Comment timer removed|
|---|---|---|
|Sat Dec 26 02:42:20 2020 UTC+1|dodo@mail.pcc|added timer|
|Sat Nov 14 01:41:13 2020 UTC+1|dodo@mail.pcc|announement fix|
|Sat Nov 14 00:37:18 2020 UTC+1|dodo@mail.pcc|announcement|
|Wed Sep 16 13:14:26 2020 UTC+2|dodo@mail.pcc|Teka && 2|
|Sun Sep 13 11:21:32 2020 UTC+2|dodo@mail.pcc|Assured - CFC|
|Fri Sep 11 11:55:37 2020 UTC+2|dodo@mail.pcc|Monty-Lindenwold added|
|Sun Sep 6 00:59:12 2020 UTC+2|dodo@mail.pcc|Menu fix|
|Sat Sep 5 18:11:26 2020 UTC+2|dodo@mail.pcc|IVCC, WSMIND, Alliance|
|Fri Aug 28 15:18:08 2020 UTC+2|dodo@mail.pcc|Added Marselle and 2 other; dates added|
|Wed Aug 19 16:06:13 2020 UTC+2|dodo@mail.pcc|MCLINC and XPress added|
|Sat Aug 8 10:14:59 2020 UTC+2|dodo@mail.pcc|Upload script added|
|Sat Aug 8 09:56:19 2020 UTC+2|dodo@mail.pcc|OrthoAtlanta and Q3 added|
|Sat Aug 8 09:22:56 2020 UTC+2|root@server.domain|.cIonmitial|


-----

Torify [3] allows users to run applications on Tor network without native support. As shown
in Figure 3, it plays a crucial role in PYSA’s management panel and public leak website
operations. While obviously convenient from a usability point of view, its use also carries
important operational security implications.

**Figure 3. Torify usage in the deployment script.**

**3.1.2** **De-anonymizing TOR Hidden Service**

Tor hidden services operate behind the TOR network. They are only accessible through
their unique ”.onion” links. The architecture of the TOR network makes monitoring traffic and
identifying the IP addresses running hidden services on the TOR network almost impossible.

While the architecture of the TOR network represents a considerable challenge, we can
successfully identify these so-called hidden networks when threat actors make infrastructural
and operational security mistakes.

In the case of PYSA, our team successfully benefited from the ransomware group’s operational
security mistakes and identified its hidden service on the TOR network. The hidden service
correlates to a hosting provider (Snel.com B.V.) located in the Netherlands.

To detect ransomware activities and notify the relevant authorities, we have been actively
monitoring all related server migrations associated with PYSA assets since September 2020.
Their infrastructure includes hidden services, management panels, monitoring systems and a
development environment, all of which apparently reside in a single data center (Snel.com
B.V.). Table 2 shows the list of management servers identified by the PTI team.

**IP** **Country** **ISP** **First Seen**
193.34.167.230 Netherlands Snel.com B.V. September 2020
193.34.166.92 Netherlands Snel.com B.V. December 2020
193.34.167.240 Netherlands Snel.com B.V. July 2021
193.34.166.181 Netherlands Snel.com B.V. November 2021
193.34.166.189 Netherlands Snel.com B.V. November 2021
193.34.166.214 Netherlands Snel.com B.V. December 2021
193.34.166.165 Netherlands Snel.com B.V. December 2021

**Table 2. Management servers of the PYSA.**

[3. https://gitlab.torproject.org/legacy/trac/-/wikis/doc/TorifyHOWTO](https://gitlab.torproject.org/legacy/trac/-/wikis/doc/TorifyHOWTO)

7 / 32

DISCLAIMER : This document and its contents shall be deemed as proprietary and privileged information of PRODAFT and shall

be subjected to articles and provisions that have been stipulated in the General Data Protection Regulation and Personal

Data Protection Law No. 6698. It shall be noted that PRODAFT provides this information “as is” according to its findings, without

providing any legally applicable warranty regarding completeness or accuracy of the contents Therefore neither this report

|IP|Country|ISP|First Seen|
|---|---|---|---|
|193.34.167.230|Netherlands|Snel.com B.V.|September 2020|
|193.34.166.92|Netherlands|Snel.com B.V.|December 2020|
|193.34.167.240|Netherlands|Snel.com B.V.|July 2021|
|193.34.166.181|Netherlands|Snel.com B.V.|November 2021|
|193.34.166.189|Netherlands|Snel.com B.V.|November 2021|
|193.34.166.214|Netherlands|Snel.com B.V.|December 2021|
|193.34.166.165|Netherlands|Snel.com B.V.|December 2021|


-----

**Figure 4. Relationship between the hidden service and public IP address.**

We compared the unique URLs with package contents to produce additional evidence to
support our findings. For example, the UUID value obtained from 193.34.166.92 is available as
a downloadable URL on the public leak server of the PYSA, as shown in Figure 4.

8 / 32

DISCLAIMER : This document and its contents shall be deemed as proprietary and privileged information of PRODAFT and shall

be subjected to articles and provisions that have been stipulated in the General Data Protection Regulation and Personal

Data Protection Law No. 6698. It shall be noted that PRODAFT provides this information “as is” according to its findings, without

providing any legally applicable warranty regarding completeness or accuracy of the contents Therefore neither this report


-----

#### 3.2 Leak Management Interface

PYSA threat actors use a custom leak management system to quickly find confidential
documents in the files exfiltrated from victims’ internal networks. The system (as shown in
Figure 5) allows users to search for these files by extension, file name, and content.

**Figure 5. Index page of the victim (project) management.**

Since the beginning of our investigation, we observed numerous usability updates on PYSA’s
systems. This suggests that the group is supported by competent developers who apply
modern operational paradigms to the group’s development cycle.

This unexpected finding tells a different story about ransomware gangs than the one the
cybersecurity industry is used to. It suggests a professional environment with well-organized
division of responsibilities, rather than a loose network of semi-autonomous threat actors.

9 / 32

DISCLAIMER : This document and its contents shall be deemed as proprietary and privileged information of PRODAFT and shall

be subjected to articles and provisions that have been stipulated in the General Data Protection Regulation and Personal

Data Protection Law No. 6698. It shall be noted that PRODAFT provides this information “as is” according to its findings, without

providing any legally applicable warranty regarding completeness or accuracy of the contents Therefore neither this report


-----

**3.2.1** **Development Activity**

The PYSA team utilizes the Git [4] version control system to manage the management
panel development processes. Figure 6 shows that they developed the system continuously,
despite occasional interruptions.

**Figure 6. Development activity of the threat actors.**

Table 3 shows the commit history extracted from the git repository of the management
system. Closer inspection of the table shows the developer’s time zone and the date of the
project kickoff. The first commit occurred on September 25th, 2020, early in the morning on
US Central Time (UTC-6).

Time zone data from this table does not correlate with the data in Table 1. A possible
explanation for this might be that the development team includes more than one person,
with individuals in multiple time zones responsible for managing different parts of the project.

**Date** **Author** **Comment**
Sat Sep 26 00:02:24 2020 UTC-6 Your Name <you@example.com> view3
Sat Sep 26 00:00:57 2020 UTC-6 Your Name <you@example.com> view3
Fri Sep 25 23:59:50 2020 UTC-6 Your Name <you@example.com> view2
Fri Sep 25 23:57:53 2020 UTC-6 Your Name <you@example.com> view2
Fri Sep 25 23:56:17 2020 UTC-6 Your Name <you@example.com> view
Fri Sep 25 22:26:23 2020 UTC-6 Your Name <you@example.com> t
Fri Sep 25 21:31:13 2020 UTC-6 Your Name <you@example.com> x
Fri Sep 25 21:02:06 2020 UTC-6 Your Name <you@example.com> n
Fri Sep 25 20:59:10 2020 UTC-6 Your Name <you@example.com> p
Fri Sep 25 20:57:23 2020 UTC-6 Your Name <you@example.com> 2
Fri Sep 25 20:55:29 2020 UTC-6 Your Name <you@example.com> 1
Fri Sep 25 20:52:57 2020 UTC-6 Your Name <you@example.com> s
Fri Sep 25 20:51:43 2020 UTC-6 Your Name <you@example.com> add
Fri Sep 25 04:42:31 2020 UTC-6 Your Name <you@example.com> init

**Table 3. Non-exhaustive list of commits extracted from the git repository.**

[4. https://git-scm.com/](https://git-scm.com/)

10 / 32

DISCLAIMER : This document and its contents shall be deemed as proprietary and privileged information of PRODAFT and shall

be subjected to articles and provisions that have been stipulated in the General Data Protection Regulation and Personal

Data Protection Law No. 6698. It shall be noted that PRODAFT provides this information “as is” according to its findings, without

providing any legally applicable warranty regarding completeness or accuracy of the contents Therefore neither this report

|Date Sat Sep 26 00:02:24 2020 UTC-6|Author Your Name <you@example.com>|Comment view3|
|---|---|---|
|Sat Sep 26 00:00:57 2020 UTC-6|Your Name <you@example.com>|view3|
|Fri Sep 25 23:59:50 2020 UTC-6|Your Name <you@example.com>|view2|
|Fri Sep 25 23:57:53 2020 UTC-6|Your Name <you@example.com>|view2|
|Fri Sep 25 23:56:17 2020 UTC-6|Your Name <you@example.com>|view|
|Fri Sep 25 22:26:23 2020 UTC-6|Your Name <you@example.com>|t|
|Fri Sep 25 21:31:13 2020 UTC-6|Your Name <you@example.com>|x|
|Fri Sep 25 21:02:06 2020 UTC-6|Your Name <you@example.com>|n|
|Fri Sep 25 20:59:10 2020 UTC-6|Your Name <you@example.com>|p|
|Fri Sep 25 20:57:23 2020 UTC-6|Your Name <you@example.com>|2|
|Fri Sep 25 20:55:29 2020 UTC-6|Your Name <you@example.com>|1|
|Fri Sep 25 20:52:57 2020 UTC-6|Your Name <you@example.com>|s|
|Fri Sep 25 20:51:43 2020 UTC-6|Your Name <you@example.com>|add|
|Fri Sep 25 04:42:31 2020 UTC-6|Your Name <you@example.com>|init|


-----

**3.2.2** **Source Code Analysis**

The PYSA’s management system is written in PHP 7.3.12, using the Laravel framework. The
system uses the MariaDB database, Redis cache, and an Amazon Cloud environment, as
shown in Figure 7. Moreover, we determined that the developers were using PHPStorm as their
IDE after deep inspection of the Git repositories of the project. The app itself is apparently
set to the Australia/Sydney time zone.

**Figure 7. Environment variables of the management panel.**

The system includes several API endpoints to handle requests like public file download, SMB
explorer, full-text search interface, JSON feeds for tracking, auto-GIF generation, and more.
For the sake of simplicity, the table below shows a subset of the most relevant endpoints.

**Endpoint** **Description**
/upload-wekkmferokmsdderiuheoirhuiewiwnijnfrer Uploader index page.
/uploader-zxczxczx Index page.
/records List page of all the database records.
/tree-df-dfdnnfpqowe-dsfdskwqehrw-sdfvdvdnkwker File list in tree format.
/d2u039-8r-wh___efo389hfeos File list page.
/uploader-zlist List all the items.
/merge-qaszwerfeiun4i5yghydf Merge files.
/smb-ero4tij5p9yhfgdejkr.t4irtueitdfbvcvrcf SMB explorer (viewer).
/explorer-scan-awdfsdftjktdngjksdfd File explorer scan.
/exportozirnosi-33388883333777-jisosei393 Export the file list.
/archive-asdfvenrgdfgfd Archive JSON feed.
/i-want-to-download-awesome-pysa-file/{uuid} Public file download.
/gifhwdbhg4hugdkhfnksvdfetergtrwehfisuhew32r Generate animation for files.
/analyze-keywords-ejkrgnekjns-sdbfr Analyze the files for full-text search.
/asdfvenrgdfgfd-{id}.json Project JSON feed for tracking.

**Table 4. Excerpt list of the endpoints.**

11 / 32

DISCLAIMER : This document and its contents shall be deemed as proprietary and privileged information of PRODAFT and shall

be subjected to articles and provisions that have been stipulated in the General Data Protection Regulation and Personal

Data Protection Law No. 6698. It shall be noted that PRODAFT provides this information “as is” according to its findings, without

providing any legally applicable warranty regarding completeness or accuracy of the contents Therefore neither this report

|Endpoint|Description|
|---|---|
|/upload-wekkmferokmsdderiuheoirhuiewiwnijnfrer|Uploader index page.|
|/uploader-zxczxczx|Index page.|
|/records|List page of all the database records.|
|/tree-df-dfdnnfpqowe-dsfdskwqehrw-sdfvdvdnkwker|File list in tree format.|
|/d2u039-8r-wh___efo389hfeos|File list page.|
|/uploader-zlist|List all the items.|
|/merge-qaszwerfeiun4i5yghydf|Merge files.|
|/smb-ero4tij5p9yhfgdejkr.t4irtueitdfbvcvrcf|SMB explorer (viewer).|
|/explorer-scan-awdfsdftjktdngjksdfd|File explorer scan.|
|/exportozirnosi-33388883333777-jisosei393|Export the file list.|
|/archive-asdfvenrgdfgfd|Archive JSON feed.|
|/i-want-to-download-awesome-pysa-file/{uuid}|Public file download.|
|/gifhwdbhg4hugdkhfnksvdfetergtrwehfisuhew32r|Generate animation for files.|
|/analyze-keywords-ejkrgnekjns-sdbfr|Analyze the files for full-text search.|
|/asdfvenrgdfgfd-{id}.json|Project JSON feed for tracking.|


-----

**3.2.3** **Full-text Search Interface**

Once PYSA team members encrypt a target system, they must intimidate the victim into
paying a ransom. Part of this process involves proving that the victim’s confidential data has
been compromised successfully. PYSA has developed its own full-text search engine that
extracts metadata and makes victim information easy to find and access.

An early version of the PYSA system only made file names and paths available. The version
in use at the time of our investigation also includes content-based full-text search, but
it is only available for administrators and has not yet been rolled out for the production
environment. Figure 8 shows the full-text search interface of the management system, along
with some pre-defined keywords.

**Figure 8. Full-text search interface of the management system.**

This innovative system makes it easier for a large-scale cybercriminal network to operate
efficiently. However, it also provides insight into the mindset and ultimate goals of ransomware
operators. Pre-defined keywords like ”government” show an obvious target categorization
scheme at play, while more specific terms like ”1040”, ”1099”, and ”401(k)” refer to United
States tax documents and plans.

Further research into the predefined keywords (as shown in Table 5) may help pinpoint
future targets and refine some of the assumptions cybersecurity professionals make about
cybercrime groups like PYSA. For example, it’s clear that the list provided below is an
extended version of the keyword list extracted from the PowerShell script PYSA used to
exfiltrate data from the victim’s device. [3]

12 / 32

DISCLAIMER : This document and its contents shall be deemed as proprietary and privileged information of PRODAFT and shall

be subjected to articles and provisions that have been stipulated in the General Data Protection Regulation and Personal

Data Protection Law No. 6698. It shall be noted that PRODAFT provides this information “as is” according to its findings, without

providing any legally applicable warranty regarding completeness or accuracy of the contents Therefore neither this report


-----

1040 1099 1120 2020 2021
401(k) 401K 4506-T 8822 8955
941 9465 ABRH ARH Accou
Addres Agreem Anal Annu Asse
Assignment Author Balanc Bank*Statement Benef
Bill Biomet Book Budg Busi
CDA CPF CRH Card Cash
Cell Cert Check Citiz Clien
Compet Confi Contact Contr Covid
DDRH DRH Daily Data Deal
Demog Detail Disclo Doc Docum
Drug EBITDA Emplo Enrol Equit
Exam FY2 Finan Form Grad
HR Harassm Hir Human I-9
I9 IRS Identi Img Incid
Incom Info Insur Insurance Invest
K-1 K1 List Mail Margin
Monthly Mp4 NDA Non-discl Numb
Parent Partn Pass Pati Pay
Person Phone Princip Privat RHO
RRHH Rat Recursos*Humanos Refer Repor
Resour Resul Reven SS SS#
SS-4 SSA SSN SWIFT Salar
Sale Sec Sex Signed Soc
Staf Stat Statement*Bank Stud Tax
Teach Tort Trade Tranz Uniq
Valu Vend Verif Violen W-2
W-4 W-7 W-8BEN W-9 W2
W4 W9 Wage Work agreem
balanc bank billing budget bureau
card cash checking clandestine compilation
compromate concealed confid confident contact
contr emplo federal finance fraud
government hidden i-9 identi illegal
important insider investigation letter mail
passport passwd password pay payment
payroll person privacy privat pwd
report resurses*human routing saving scans
sec secret security seed sin
soc statement tax unclassified w-4

**Table 5. Pre-defined keyword list of the system set by attackers.**

13 / 32

DISCLAIMER : This document and its contents shall be deemed as proprietary and privileged information of PRODAFT and shall

be subjected to articles and provisions that have been stipulated in the General Data Protection Regulation and Personal

Data Protection Law No. 6698. It shall be noted that PRODAFT provides this information “as is” according to its findings, without

providing any legally applicable warranty regarding completeness or accuracy of the contents Therefore neither this report


-----

**3.2.4** **Infrastructure**

In order to scale their infrastructure, the PYSA team deploys and manages a number of
dockerized containers, including public leak servers, database, and management servers.
These containers are connected via internal networking on the same dedicated server. Figure
9 shows an overview of PYSA’s infrastructure.

Database
(MariaDB)


Public Leak Server

(Hidden Service)


Victim Infrastructure


Encrypted Cloud

(Amazon S3)

**Figure 9. PYSA’s network infrastructure.**

Since December 2021, they have been deploying new management servers in order to
address scalability issues. Under this system, each threat actor is assigned a different
management server. The team uses external work queues like Amazon Simple Queue Service
(SQS) to manage the workflow assigned to each individual. Simple deployment scripts (as
shown in Figure 10) have been observed, allowing threat actors to deploy new management
panels instantly.

**Figure 10. Deployment script of the management panel.**

14 / 32

DISCLAIMER : This document and its contents shall be deemed as proprietary and privileged information of PRODAFT and shall

be subjected to articles and provisions that have been stipulated in the General Data Protection Regulation and Personal

Data Protection Law No. 6698. It shall be noted that PRODAFT provides this information “as is” according to its findings, without

providing any legally applicable warranty regarding completeness or accuracy of the contents Therefore neither this report


-----

**3.2.5** **Encrypted Cloud Storage**

It is surprising that the PYSA team utilized Amazon S3 cloud infrastructure to store their
encrypted files. The group’s Amazon account was created on 18.09.2020 and the bucket
dates to 21.09.2020. This bucket contains 31.47TB of encrypted data belonging to victims.

The system performs stream encryption and decryption services on the Amazon S3 cloud
whenever someone requests a file belonging to a victim. This request is made through a
hidden onion server using a FileVault package as shown in Figure 11.

**Figure 11. Sample code blocks that demonstrate the usage of the encrypted cloud.**

15 / 32

DISCLAIMER : This document and its contents shall be deemed as proprietary and privileged information of PRODAFT and shall

be subjected to articles and provisions that have been stipulated in the General Data Protection Regulation and Personal

Data Protection Law No. 6698. It shall be noted that PRODAFT provides this information “as is” according to its findings, without

providing any legally applicable warranty regarding completeness or accuracy of the contents Therefore neither this report


-----

**3.2.6** **Auto-GIF Generation**

After ransom negotiations finish, many victims request proof of file deletion. PYSA can
automatically generate a GIF animation file (as shown in Figure 12) that appears to show the
stolen file paths being deleted. Once the ransom is paid, PYSA threat actors generate this
animation and send it to victims along with the decryption software.

**Figure 12. Auto-GIF generator to reassure the victim.**

Despite the obvious reassurance this GIF offers to victims, it is an illusion. The PYSA team
cannot delete the stolen files as shown in the animation. The PYSA team is free to use and
reuse victim’s data as often as it feels necessary, and can even retarget victims using the
data it claims to have deleted. This is important because PYSA is known to use double
extortion tactics against victims.

16 / 32

DISCLAIMER : This document and its contents shall be deemed as proprietary and privileged information of PRODAFT and shall

be subjected to articles and provisions that have been stipulated in the General Data Protection Regulation and Personal

Data Protection Law No. 6698. It shall be noted that PRODAFT provides this information “as is” according to its findings, without

providing any legally applicable warranty regarding completeness or accuracy of the contents Therefore neither this report


-----

**3.2.7** **Data Exfiltration via SMB Links**

In order to exfiltrate victim data from internal networks, the PYSA team uses SMB Links in
their system. While most links are proxy or relay servers, some point directly to the victim’s
infrastructure.

Upon filling the expected inputs as shown in Figure 13, the system executes asynchronous
tasks to pull files from the link using the SMB protocol. The project ID field represents the
victim’s unique ID, which is set manually by attackers. The team also uses a token value to
authorize its affiliates. These function in a way similar to conventional API authorization keys.

**Figure 13. SMB Link interface.**

Figure 14 depicts a code snippet responsible for managing SMB links. The single most
striking observation to emerge from the code is the usage of work queues to transfer
files simultaneously. We consider this approach a solid and speedy way to manage data
exfiltration efficiently.

**Figure 14. Source code excerpt responsible for SMB Links.**

17 / 32

DISCLAIMER : This document and its contents shall be deemed as proprietary and privileged information of PRODAFT and shall

be subjected to articles and provisions that have been stipulated in the General Data Protection Regulation and Personal

Data Protection Law No. 6698. It shall be noted that PRODAFT provides this information “as is” according to its findings, without

providing any legally applicable warranty regarding completeness or accuracy of the contents Therefore neither this report


-----

**3.2.8** **Users**

We identified 11 active users representing individual threat actors with different privilege
levels in the management system, as listed in Table 6. Each one is responsible only for its
victims (so-called projects), and only admin users can access another user’s content.

**#** **Name** **Email** **Creation Date**
1 admin admin@admin.com 2020-09-25 09:15:24
2 t1 lmoen@goyette.info 2021-01-08 11:22:32
3 t2 vonrueden.antonietta@gmail.com 2021-01-08 11:22:33
4 t3 leanne.roob@hotmail.com 2021-01-08 11:22:33
5 t4 wilderman.belle@gibson.com 2021-01-08 11:22:33
6 t5 lesch.stephany@abshire.org 2021-01-08 11:22:33
7 t6 plockman@medhurst.com 2021-01-08 11:22:33
8 t7 jerrod19@yahoo.com 2021-01-08 11:22:33
9 t8 collins.ike@corwin.com 2021-01-08 11:22:33
10 t9 bosco.hipolito@wilkinson.com 2021-01-08 11:22:33
11 t10 hayden.rempel@kunde.com 2021-01-08 11:22:33

**Table 6. User list of the management panel.**

On the other hand, we detected the Faker [5] library in the source code, which can produce
fake email addresses. As a result, we are highly skeptical of the validity of the email addresses
provided. We do not have further evidence suggesting that these email addresses belong
to real accounts.

[5. https://fakerphp.github.io/](https://fakerphp.github.io/)

18 / 32

DISCLAIMER : This document and its contents shall be deemed as proprietary and privileged information of PRODAFT and shall

be subjected to articles and provisions that have been stipulated in the General Data Protection Regulation and Personal

Data Protection Law No. 6698. It shall be noted that PRODAFT provides this information “as is” according to its findings, without

providing any legally applicable warranty regarding completeness or accuracy of the contents Therefore neither this report

|#|Name|Email|Creation Date|
|---|---|---|---|
|1|admin|admin@admin.com|2020-09-25 09:15:24|
|2|t1|lmoen@goyette.info|2021-01-08 11:22:32|
|3|t2|vonrueden.antonietta@gmail.com|2021-01-08 11:22:33|
|4|t3|leanne.roob@hotmail.com|2021-01-08 11:22:33|
|5|t4|wilderman.belle@gibson.com|2021-01-08 11:22:33|
|6|t5|lesch.stephany@abshire.org|2021-01-08 11:22:33|
|7|t6|plockman@medhurst.com|2021-01-08 11:22:33|
|8|t7|jerrod19@yahoo.com|2021-01-08 11:22:33|
|9|t8|collins.ike@corwin.com|2021-01-08 11:22:33|
|10|t9|bosco.hipolito@wilkinson.com|2021-01-08 11:22:33|
|11|t10|hayden.rempel@kunde.com|2021-01-08 11:22:33|


-----

#### 3.3 Ransomware Software

In this section, we provide technical analysis of PYSA’s ransomware encryption and
decryption executables.

**3.3.1** **Encryption**

PYSA malware travels between hard drives recursively and looks for user files to encrypt.
The executable starts a new thread for an encryption routine on every new directory visit
and puts a README ransom note in each directory. In order to keep the system functioning, it
does not encrypt executable files along with necessary system files. It features hardcoded
extensions that identify these files and excludes them from the encryption algorithm. Every
eligible file is encrypted and given a ”.pysa” extension. The recursive visit routine is shown
below.

**Figure 15. Recursively encrypting files.**

19 / 32

DISCLAIMER : This document and its contents shall be deemed as proprietary and privileged information of PRODAFT and shall

be subjected to articles and provisions that have been stipulated in the General Data Protection Regulation and Personal

Data Protection Law No. 6698. It shall be noted that PRODAFT provides this information “as is” according to its findings, without

providing any legally applicable warranty regarding completeness or accuracy of the contents Therefore neither this report


-----

PYSA ransomware generates a KEY and an IV value for each file. Key generation is done by
**AutoSeededRandomPool. This is a randomly generated key later used for file encryption with**
**AES CBC Mode algorithm. The generating process is shown below.**

**Figure 16. Random KEY and IV generation.**

The ransomware executable encrypts files in blocks of 100 bytes. The block count loop starts
by reading a block, encrypts that block, flushing it into the file and then starting back at the
corresponding position to prepare for the next block. The relevant code snippet is shown
below.

**Figure 17. File encryption.**

20 / 32

DISCLAIMER : This document and its contents shall be deemed as proprietary and privileged information of PRODAFT and shall

be subjected to articles and provisions that have been stipulated in the General Data Protection Regulation and Personal

Data Protection Law No. 6698. It shall be noted that PRODAFT provides this information “as is” according to its findings, without

providing any legally applicable warranty regarding completeness or accuracy of the contents Therefore neither this report


-----

Once the routine described above successfully encrypts a file, the ransomware moves on to
encrypt both KEY and IV values with an RSA public key. This information is needed later for
decryption. The ransomware moves to the beginning of the file and puts the encrypted KEY
and IV values there.

The RSA public key is stored in encoded format. The RSA key content and decryption process
is shown below.

**Figure 18. Encoded RSA public key.**

**Figure 19. Decoding RSA key.**

21 / 32

DISCLAIMER : This document and its contents shall be deemed as proprietary and privileged information of PRODAFT and shall

be subjected to articles and provisions that have been stipulated in the General Data Protection Regulation and Personal

Data Protection Law No. 6698. It shall be noted that PRODAFT provides this information “as is” according to its findings, without

providing any legally applicable warranty regarding completeness or accuracy of the contents Therefore neither this report


-----

The process of encrypting KEY and IV values is shown below, as well. We have also included a
screenshot of the header process that puts encrypted parameters at the beginning of the file.

**Figure 20. Encrypting KEY and IV values.**

**Figure 21. Putting encrypted parameters at the beginning of the file.**

22 / 32

DISCLAIMER : This document and its contents shall be deemed as proprietary and privileged information of PRODAFT and shall

be subjected to articles and provisions that have been stipulated in the General Data Protection Regulation and Personal

Data Protection Law No. 6698. It shall be noted that PRODAFT provides this information “as is” according to its findings, without

providing any legally applicable warranty regarding completeness or accuracy of the contents Therefore neither this report


-----

**3.3.2** **Decryption**

PYSA ransomware’s decryption method is straightforward and executes the reverse
of the encryption process described above. The decryption software has an RSA private
key embedded in it, and this RSA private key is associated with the particular encryption
executable unique to each victim, as shown below.

**Figure 22. Embedded associated RSA private key.**

The decryption software recursively visits each file and runs its program. For every file, it must
first retrieve input previously encrypted AES CBC Mode algorithm parameters. Using the RSA
private key, it can decrypt KEY and IV values. Once it has the necessary parameters, it can
successfully restore file content and replace each filename with its original extension. The
decryption routine is shown below.

**Figure 23. File decryption.**

23 / 32

DISCLAIMER : This document and its contents shall be deemed as proprietary and privileged information of PRODAFT and shall

be subjected to articles and provisions that have been stipulated in the General Data Protection Regulation and Personal

Data Protection Law No. 6698. It shall be noted that PRODAFT provides this information “as is” according to its findings, without

providing any legally applicable warranty regarding completeness or accuracy of the contents Therefore neither this report


-----

### 4 Statistics and Observations

This section provides the victim statistics by month, threat actor activity graph, and
findings on author profiling.

#### 4.1 Victim Statistics

Since September 2020, the PYSA team apparently exfiltrated the data from 747 victims
to the management panel. December 2020 and June 2021 were the most active months,
with approximately 90 victims each month. The victim count remained elevated after June
**2021, only tailing off at the end of the year.**

**Figure 24. Victim statistics by month.**

The uptick in activity may coincide with the PYSA team’s development cycle initiatives for
enabling full text search and other useful features. It’s plausible that PYSA’s leaders thought
this kind of functionality would give it a competitive edge in the cybercrime marketplace by
making it easier for affiliates to operate large-scale attack campaigns.

PYSA released the confidential files of 309 victims in their public leak server, and we
detected 747 victims in their management panel. According to the findings, we can roughly
calculate the success (ransom/payment) ratio of the ransomware gang, which is around
**58%. Notwithstanding, the ratio raises intriguing questions regarding the nature and extent**
of the cybercriminal’s motivations. Further studies, which take these variables into account,
will need to be undertaken.

#### 4.2 Threat Actor Activity

The activity of individual threat actors suggests a group of four highly engaged users
with wide-ranging access. Together, these four users make up more than 90 percent of
activity on the group’s management panel. The other active users collectively make up the
rest, which might mean there is a relatively small group of affiliates that are less involved in
the day-to-day operations of the PYSA group.

24 / 32

DISCLAIMER : This document and its contents shall be deemed as proprietary and privileged information of PRODAFT and shall

be subjected to articles and provisions that have been stipulated in the General Data Protection Regulation and Personal

Data Protection Law No. 6698. It shall be noted that PRODAFT provides this information “as is” according to its findings, without

providing any legally applicable warranty regarding completeness or accuracy of the contents Therefore neither this report


-----

**Figure 25. Threat actor activity statistics.**

Since there appear to be multiple time zones represented throughout PYSA’s core
infrastructure, it’s likely that its primary users come from different parts of the world, and work
together solely online. This would suggest that PYSA threat actors managed to sustain an
effective and well-organized development cycle pipeline as a distributed global team.

#### 4.3 Author Profiling and Linguistic Evidence

Deep sensors planted by the PTI team can capture, interrupt, and react to information
traffic between the cybercriminals in secret and public communication channels. We
accumulate linguistic evidence to strengthen our criminal profiling capabilities as part of our
cyber attribution efforts. AUCH (Autorenprofile für die Untersuchung von Cyberkriminalität
CH) is our recently developed deep neural networks empowered author profiling technology.
AUCH can analyze the language of cybercriminals to reveal important information regarding
their identities. It operates based on data and cyber-insight we have acquired over the
years with our unparalleled proactive approach against cybercrime.


AUCH is currently a preliminary stage research project supported by the Swiss
Innovation Agency, Innosuisse. We collaborate with our partners at the University
of Zurich to integrate cutting-edge linguistics research into cybersecurity. In the
upcoming months, we will be able to showcase more features we work on to support
our investigations and consolidate our scientific approach against cybercrime.


25 / 32

DISCLAIMER : This document and its contents shall be deemed as proprietary and privileged information of PRODAFT and shall

be subjected to articles and provisions that have been stipulated in the General Data Protection Regulation and Personal

Data Protection Law No. 6698. It shall be noted that PRODAFT provides this information “as is” according to its findings, without

providing any legally applicable warranty regarding completeness or accuracy of the contents Therefore neither this report


-----

**Figure 26. PYSA ransomware statement from their website.**

The individuals behind the PYSA cybercrime group are known to be well-trained and
well-resourced. Most of the acquired messages were written by authors with an excellent
command of the English language. However, as the linguistic evidence accumulated,
AUCH was able to identify edge cases for author profiling. AUCH also exploits the
recent developments in XAI (Explainable artificial intelligence) to generate human-friendly
explanations based on gradient and perturbation methods to provide our threat intelligence
analysts with the necessary insights to work towards robust cyber-attribution. [2, 1] We will
be limiting our explainability discussion to three different meaningful examples generated by
AUCH to show how our system captures different linguistic relationships.

**4.3.1** **Grammaticality**

**Ransom Note #1 : Every byte on any types of your devices was encrypted. Don’t try to use**
backups because it were encrypted too.

Our inference engine detected the grammatical violations in the ransom messages found
in compromised systems. Unlike the rest of the evidence, these messages included errors in
the English language’s fundamental aspects, such as subject-verb and pronoun-antecedent
agreements. We do not see any evidence that these errors were replicated anywhere else in
the acquired messages.

**4.3.2** **Unnatural Statements**

**PYSA Victim Statements #1 : Don’t miss out on the most interesting (things) (leak), there is**
something to please the sophisticated audience.

The non-existing noun in the (DET+ADVERB+ADJECTIVE) combination was flagged by the
profiling system. It is possible to introduce a noun from the phrase ”the most interesting” in
German (das Interessanteste) but not in English. We think this linguistic innovation results
from the native language of the author.

26 / 32

DISCLAIMER : This document and its contents shall be deemed as proprietary and privileged information of PRODAFT and shall

be subjected to articles and provisions that have been stipulated in the General Data Protection Regulation and Personal

Data Protection Law No. 6698. It shall be noted that PRODAFT provides this information “as is” according to its findings, without

providing any legally applicable warranty regarding completeness or accuracy of the contents Therefore neither this report


-----

**PYSA Victim Statements #2 : The main bonus from our partners is such information as**
criminal cases and material evidence on them, technical plans of buildings and structures
of the city, confidential information about police officers. More than 20 GB of data that
will not leave you aside.

The phrasal verb ”leave you aside” was flagged as a linguistic anomaly by our profiling
system. It is possible to ”leave something aside” but not ”leave someone aside” in the English
language. This is most likely a calque statement resulting from the influence of the native
language of the author.

**PYSA Victim Statements #3 : Our partners will also not leave the opportunity to show**
you the calculations of budgets for future years, financial reports and documentation,
personal data of employees.

The term ”calculations of budgets” was flagged as a possible word order influence by our
profiling system. It is a very unnatural statement for an English native speaker in this context.
A native speaker would probably prefer ”budget calculations” instead. In most European
languages, it is possible to find root-for-root translations with the same word order. (DE :
_Berechnung des Budgets, PT : cálculos de orçamentos, IT : calcolo dei bilanci, ESP : cálculo_
_de los presupuestos)._

**4.3.3** **Syntax**

**PYSA Victim Statements - Author #1 : Here they will present for you (with) tax files, budget**
calculations and their formation, current settlements, payment orders, etc. 1.55 Gb files
that will not cease to be relevant at any time.

**PYSA Victim Statements - Author #2 : One of the largest colleges in the State presents**
(for) you with bank records, budget calculations, scanned documents, and photos of its
employees.

To further strengthen our claims, our inference engine has identified a prepositional
innovation by one of the authors. The first author uses the preposition combination ”present
**for you” instead of ”present someone with” which is a distinctive dissimilarity for author**
profiling. However, this very linguistic innovation is not replicated in some of the other
messages on the victim announcement board, which brings the existence of multiple authors
into question. Upon inspection, our algorithm found that the linguistic style of the messages
without innovations is different from the rest, confirming the existence of another author.


Based on our first analysis, threat actors most likely have ties to Europe but also
employs different actors who are non-native English speakers.


27 / 32

DISCLAIMER : This document and its contents shall be deemed as proprietary and privileged information of PRODAFT and shall

be subjected to articles and provisions that have been stipulated in the General Data Protection Regulation and Personal

Data Protection Law No. 6698. It shall be noted that PRODAFT provides this information “as is” according to its findings, without

providing any legally applicable warranty regarding completeness or accuracy of the contents Therefore neither this report


-----

### 5 Conclusion

PYSA has shown itself capable of highly destructive ransomware attacks on critical
infrastructure organizations, using a ”big game hunting” approach to extort large enterprises
into paying immense ransoms quickly. The PTI Team’s research offers a rare glimpse at
how the group’s techniques, tactics, and procedures enable it to achieve its goals. More
importantly, the gang does not delete the files even after receiving ransom money. Authorities
always underline ”Don’t pay the ransom” publicly to prevent financial support to ransomware
gangs.

Unlike highly automated threats that target huge numbers of victims at a time, PYSA is
a highly manual ransomware operator that focuses exclusively on high-value targets.
Nevertheless, the group’s development cycle shows that it prizes automation and workflow
efficiency greatly, and has actively invested in improving its capabilities. Its development
team even created user-friendly tools like a full-text search engine to facilitate highly
scalable automated workflows.

Most ransomware gangs like PYSA use a double-extortion technique against their victims,
and the victim’s data is both exfiltrated and encrypted. Almost 58% of the PYSA victims paid
the ransom, which presents the danger of this common technique. The data in this report will
shape cybersecurity professionals’ understanding of how groups like PYSA work and what
motivates them. This adds considerable value to the insight threat intelligence operatives
can provide to the IT leaders who rely on them.

PRODAFT and its threat intelligence platform USTA [6] deliver actionable insights to
cybersecurity professionals to understand threat actors better, anticipate their next move,
and respond faster once an incident occurs. To learn more about our platform or our CIN
network, you can contact us on our website.

[6. https://www.prodaft.com/usta-trial-access](https://www.prodaft.com/usta-trial-access)

28 / 32

DISCLAIMER : This document and its contents shall be deemed as proprietary and privileged information of PRODAFT and shall

be subjected to articles and provisions that have been stipulated in the General Data Protection Regulation and Personal

Data Protection Law No. 6698. It shall be noted that PRODAFT provides this information “as is” according to its findings, without

providing any legally applicable warranty regarding completeness or accuracy of the contents Therefore neither this report


-----

**Acknowledgement**
We would like to thank our advisors for their valuable guidance and support throughout this
research.

The public version of the report will be shared from our github page [7]. The readers can find
new samples, IOCs, and new versions of this report from our github page as we will constantly
update our page based on new findings.

[7. https://www.github.com/prodaft](https://www.github.com/prodaft)

29 / 32

DISCLAIMER : This document and its contents shall be deemed as proprietary and privileged information of PRODAFT and shall

be subjected to articles and provisions that have been stipulated in the General Data Protection Regulation and Personal

Data Protection Law No. 6698. It shall be noted that PRODAFT provides this information “as is” according to its findings, without

providing any legally applicable warranty regarding completeness or accuracy of the contents Therefore neither this report


-----

### 6 IOC

#### 6.1 Leak Management Infrastructure
```
193.34.166.165
193.34.166.214
193.34.166.189
193.34.166.181
193.34.167.240
193.34.166.92
193.34.167.230

 6.2 Public Leak Servers
na47pldl5eoqxt42.onion
wqmfzni2nvbbpk25.onion
pysa2bitc5ldeyfak4seeruqymqs4sj5wt5qkcq7aoyg4h2acqieywad.onion

```
30 / 32

DISCLAIMER : This document and its contents shall be deemed as proprietary and privileged information of PRODAFT and shall

be subjected to articles and provisions that have been stipulated in the General Data Protection Regulation and Personal

Data Protection Law No. 6698. It shall be noted that PRODAFT provides this information “as is” according to its findings, without

providing any legally applicable warranty regarding completeness or accuracy of the contents Therefore neither this report


-----

### Références

[1] Avanti Shrikumar, Peyton Greenside et Anshul Kundaje. « Learning important features
through propagating activation differences ». In : International conference on machine
_learning. PMLR. 2017, p. 3145-3153._

[2] Mukund Sundararajan, Ankur Taly et Qiqi Yan. « Axiomatic attribution for deep networks ».
In : International conference on machine learning. PMLR. 2017, p. 3319-3328.

[3] Bleeping Computer. Ransomware gang’s script shows exactly the files they’re after.
[url : https://www.bleepingcomputer.com/news/security/ransomware-gangs-script-](https://www.bleepingcomputer.com/news/security/ransomware-gangs-script-shows-exactly-the-files-theyre-after/)
```
  shows-exactly-the-files-theyre-after/. (accessed : 22.03.2022).

```
31 / 32

DISCLAIMER : This document and its contents shall be deemed as proprietary and privileged information of PRODAFT and shall

be subjected to articles and provisions that have been stipulated in the General Data Protection Regulation and Personal

Data Protection Law No. 6698. It shall be noted that PRODAFT provides this information “as is” according to its findings, without

providing any legally applicable warranty regarding completeness or accuracy of the contents Therefore neither this report


-----

### Historique

**Version** **Date** **Auteur(s)** **Modifications**

1.0 27.09.2020 PTI Team Initial TLP:RED DRAFT version.
2.0 23.12.2020 PTI Team Law Enforcement version.
2.1 06.01.2021 PTI Team Threat actor attribution.
2.2 15.01.2022 PTI Team Redacted TLP:AMBER version.
3.0 11.04.2022 PTI Team Public TLP:WHITE version of the report.

32 / 32

DISCLAIMER : This document and its contents shall be deemed as proprietary and privileged information of PRODAFT and shall

be subjected to articles and provisions that have been stipulated in the General Data Protection Regulation and Personal

Data Protection Law No. 6698. It shall be noted that PRODAFT provides this information “as is” according to its findings, without

providing any legally applicable warranty regarding completeness or accuracy of the contents Therefore neither this report


-----