Rewterz Threat Alert – PYSA Ransomware – IOCs

Severity

High

Analysis Summary

Since March 2020, PYSA ransomware has hit US and foreign government entities, educational institutions, private companies, and the healthcare sector by unidentified cyber actors. PYSA typically gains unauthorized access to victim networks by compromising Remote Desktop Protocol (RDP) credentials and/or through phishing emails. The cyber actors use Advanced Port Scanner and Advanced IP Scanner to conduct network reconnaissance, and proceed to install open source tools, such as PowerShell Empire2 , Koadic3 , and Mimikatz4 . The cyber actors execute commands to deactivate antivirus capabilities on the victim network prior to deploying the ransomware.

The cyber actors then exfiltrate files from the victim’s network, sometimes using the free open- source tool WinSCP5 , and proceed to encrypt all connected Windows and/or Linux devices and data, rendering critical files, databases, virtual machines, backups, and applications inaccessible to users. In previous incidents, cyber actors exfiltrated employment records that contained personally identifiable information (PII), payroll tax information, and other data that could be used to extort victims to pay a ransom.

Impact

• Unauthorized access
• Data exfiltration
• File encryption

Indicators of Compromise

From Email

• ced_cririele93@protonmail[.]com
• veronabello@onionmail[.]org
• irvingalfie@protonmail[.]com
• giuliacabello@onionmail[.]org
• gustaf[.]wixon@protonmail[.]com
• avitacabrera@protonmail[.]com
• ralfgriffin@protonmail[.]com
• domenikuvoker@protonmail[.]com
• korgy[.]torky@protonmail[.]com
• mespinoza980@protonmail[.]com
• astion11@protonmail[.]com
• ellershaw[.]kiley@protonmail[.]com
• Bfgkwethnsb@protonmail[.]com
• jonivaeng@protonmail[.]com
• Logan_A_Gray@protonmail[.]com
• alanson_street8@protonmail[.]com
• rafaeldari@onionmail[.]org
• raingemaximo@protonmail[.]com
• Abelzackary@onionmail[.]org
• mcpherson[.]artair@protonmail[.]com
• Elliotstaarss1@protonmail[.]com
• lambchristoffer@protonmail[.]com
• TimWestbrook@onionmail[.]org
• gareth[.]mckie3l@protonmail[.]com
• PaulDade@onionmail[.]org
• rohrbacherlucho@protonmail[.]com
• CarmenWashingtonGton@portonmail[.]com
• aireyeric@protonmail[.]com
• cozmo[.]storton@protonmail[.]com
• noblecocking@protonmail[.]com
• karim[.]abson@protonmail[.]com
• presleybarry63@protonmail[.]com
• chettle[.]willem@protonmail[.]com
• duncan_cautherey@protonmail[.]com
• dalliss[.]prout96@protonmail[.]com
• shdujdsh@protonmail[.]com
• karkeck[.]arch@protonmail[.]com
• ihdtwesfs@portonmail[.]com
• keefe[.]mcmeckan@protonmail[.]com
• williamjohnson1963@protonmail[.]com
• keepupchell@protonmail[.]com
• casualstroons@portonmail[.]com
• gabriel8970@protonmail[.]com
• izak[.]pollington@protonmail[.]com
• masonhoyt@onionmail[.]org
• t_trstram@protonmail[.]com
• merry[.]lane@mailfence[.]com
• willmottlem01@protonmail[.]com
• Jamesy[.]kettlewell@protonmail[.]com
• BettyRacine@protonmail[.]com
• platt[.]lucais@protonmail[.]com
• Ohsgsuywb@protonmail[.]com
• jarret[.]wharram@protonmail[.]com
• Lojdgseywu@protonmail[.]copm
• hewitt_rogers@protonmail[.]com
• Johnbeamvv@protonmail[.]com
• thorvald_beattie@protonmail[.]com
• rewhgsch@protonmail[.]com
• warden_riddoch@protonmail[.]com
• lhdbeysdq@protonmail[.]com
• cowland_lothaire@protonmail[.]com
• mario1@mailfence[.]com
• Nickola_men@protonmail[.]com

SHA1

• 07cb2a3fe86414b054e2b002f283935bb0cb993c
• 52b2fc13ec0dbf8a0250c066cd3486b635a27827
• 728CB56F98EDBADA697FE66FBF7D367215271F10
• c74378a93806628b62276195f9657487310a96fd
• 24c592ad9b21df380cb4f39a85d4375b6a8a6175
• f2dda8720a5549d4666269b8ca9d629ea8b76bdf

Remediation

• Block all threat indicators at your respective controls.
• Search for IOCs in your environment.