Pysa ransomware displays the files it is looking for
A ransomware attack typically has two objectives: encrypt systems and files or steal those files to later threaten to make them public. In both cases, it will ask for a ransom in exchange so that this does not happen. This is something that can affect both private users as well as companies and organizations.
But of course, the normal thing is that it encrypts all types of files or even the entire system. In this way the victim cannot access and would have to pay a ransom (which is often useless) or use decryption software if there is one for that variety. The novelty with Pysa is that it shows exactly what files it is looking for.
Specifically, it does so through a PowerShell script, as the security researchers behind this discovery have detected. The script is designed to track the storage units and, in case they find something they are looking for, they steal the files.
Search for valuable files
So what kind of files is Pysa ransomware looking for? That script we mentioned has a total of 123 keywords that will help this malware steal the files that really interest you. Logically these are documents that will have a certain value and with which you can extort money from that user or company.
They mainly look for files related to financial information, company data, audits, banking information, login credentials, tax related data, social security numbers, etc.
All this information is sensitive and they can extort money with it. No company would like their financial data, as well as the data to log in to any social network or even cloud services, to be available to third parties. It is precisely this that the Pysa ransomware will steal and, later, ask for a ransom in exchange so that it does not leak it.
But look also very specific words such as “crime”, “fraud”, “office”, “secret”, “illegal”, “hidden” … Basically it focuses on information that may be confidential and that a company or user would not want under any circumstances to be made public.
Just like we can recognize DDoS attacks and any other threat, it is essential be protected against ransomware and make no mistakes. Any failure can expose our personal data and serve as a gateway to cybercriminals. Also, a ransomware attack can be very fast.
In short, the Pysa ransomware shows through a script which files it is interested in so that it can steal them and, later, request a ransom in return. It is essential that we avoid these types of security threats when we browse the Internet.