Pysa: Open Source static analysis for Python code - Engineering at Meta https://engineering.fb.com/2020/08/07/security/pysa/ #opensource #detection #developer #analysis #security #python #static #pysa #tool #code

Analyzing #TTP overlap for nine top #ransomware

This originates from analysis of ransomware targeting schools, but most of these families have threatened a range of critical infrastructure & other industries too

Each ransomware covered here has published extortion threats involving a school or university during the past year, and this trend is increasing. I tallied 66 ransomware extortion threats against these #education entities since last October. A few groups dominate (see pie chart), and victim count jumped especially high in recent months for schools (K-12) (see bar chart).

The #malware covered here (and count of associated extortion threats against education entities) are: #ViceSociety (25), #Pysa (8), #LockBit 3.0 (7), #ALPHV / #BlackCat (6), LockBit 2.0 (5), #Hive (4), #BianLian (3), #Quantum, Snatch (2), & #Conti, #REvil, Sabbath, and Stormous (1 each). Also #HelloKitty / #FiveHands, which is used by Vice Society, but no relevant posts were observed.

Visual summary of my analysis: https://app.tidalcyber.com/share/8d9f212a-0312-4c2f-bba5-85ab7c7224c6

Overall the nine ransomware map to 131 unique techniques total, sourced from 30 recent public reports, mainly malware analysis & government advisories ("Show only labelled techniques" gives the best view). The underlines & numbers in the cells indicate number of malware mapped to that technique. Background color gradient represents number of sources referencing it. This tool helps with pivoting to defenses and analytics (think Sigma rules), offensive tests (Atomic Red Team), and data sources (make sure you have proper logging enabled) mapped to the same techniques.
#threatintel #SharedWithTidal

RT @inversecos@twitter.com

1\ #Pysa Ransomware #TTPS:

> ZeroLogon Initial Access
> Custom coded Golang RAT
> Exfil using custom coded script to remote IP
> Custom coded reconnaissance scripts
> Decryption key is dodgy

Also..deletes EVERYTHING they create.. including deleting entire user profiles 😵‍💫

🐦🔗: https://twitter.com/inversecos/status/1456486725664993287

Les opérateurs Pysa diffusent des données relatives à :

• 🇺🇸 Ocean View Nursing & Rehabilitation (oceanviewrehab.com)
• 🇺🇸 ITS, Inc. (itsdmv.com)
• 🇺🇸 Jurysync (jurysync.com)
• 🇨🇦 Adore Fashions (adorefashions.com)
• 🇫🇷 Santélys (santelys.asso.fr)
• 🇺🇸 Consolidated High School District 230 (d230.org)
• 🇧🇷 HMCC (hmcc.com.br)
• 🇮🇪 Ardagh Group (ardaghgroup.com)
• 🇺🇸 Associated Solutions (associated-solutions.com)
• 🇬🇧 St Benet Biscop (st-benetbiscop.org.uk)
• 🇨🇷 Instituto Mixto de Ayuda Social (imas.go.cr)

#USA #CANADA #FRANCE #IRELAND #UK #BRAZIL #COSTARICA #RANSOMWARE #PYSA #DATABREACH

Data stolen from Hackney Council posted on dark web by ransomware gang - The cybercrime gang behind the PYSA ransomware has released files which they claim to have stolen ... https://grahamcluley.com/data-stolen-from-hackney-council-posted-on-dark-web-by-ransomware-gang/ #ransomware #databreach #mespinoza #dataloss #malware #hackney #pysa

Data stolen from Hackney Council posted on dark web by ransomware gang https://grahamcluley.com/data-stolen-from-hackney-council-posted-on-dark-web-by-ransomware-gang/ #Ransomware #databreach #ransomware #Mespinoza #Dataloss #Malware #Hackney #PYSA

France warns of new ransomware gang targeting local governments. CERT France says some local governments have been infected with a new version of the #Pysa ( #Mespinoza) #ransomware.
https://www.zdnet.com/article/france-warns-of-new-ransomware-gang-targeting-local-governments/#ftag=RSSbaffb68
#malware

#pysa #pisa #entrareinpalazzialtrui