Leaked ransomware script reveals what criminals are after

News / Leaked ransomware script reveals what criminals are after

Leaked ransomware script reveals what criminals are after

A PowerShell script, shared with BleepingComputer, has revealed the types of data criminals search for and try to steal during a ransomware attack.  

The program, used by the PYSA ransomware gang, seeks out, as you would expect, files typically personal and confidential in nature, often searching for those holding financial information. 

What is ransomware? 

Ransomware is a type of malware that, once it has successfully infected a device, searches for and steals data before employing encryption to hold the victim’s information at ransom.  

The victim cannot access their critical data and a ransom is demanded, often monetary, for them to regain access and stop their information from being leaked. 

This type of cyberattack is on the rise and generates billions of pounds for cybercriminals. A notable example of a ransomware attack in the UK is the WannaCry outbreak in 2017 which brought the NHS to a standstill. 


PYSA, which is an acronym for ‘Protect Your System Amigo’, is a variant of ransomware first seen in late 2019 and categorised as ransomware-as-a-service (RaaS), meaning it is rented out and used by other criminal organisations.  

PYSA has been known to target large private organisations and those in the healthcare industry. More recently, it has increasingly been used against educational institutions in both the US and UK. 

The leaked script 

Yesterday, MalwareHunterTeam shared a PowerShell script used by PYSA as part of their ransomware operation. The script revealed how the program searches for and extracts data.  

The script scans each drive for data folders whose names match certain strings on a device, and, if a match is found, the script uploads the folder’s files to a remote drop server controlled by the criminals.  

Most interesting, though, as part of this reveal is the 123 keywords used by the script to find what it is looking for. They help provide an insight into what is considered most valuable and how the threat actors think they are most likely to obtain what they want.  

The full list is available from BleepingComputer but some notable examples, relating to financial and personal information include ‘bank’, ‘billing’ and ‘pay’ as well as ‘important’ ‘login’ and ‘password’. 

The list also includes other keywords that could be harmful if leaked, such as ‘NDA’, ‘investigation’ and ‘illegal’. 

Is this reason for you to act? 

This revealing information does not however mean you need to change all your folder names to not include these words. The ransomware software will likely crawl the data manually and so changing folder names would likely have little impact. 

It is simply useful to know the types of data ransom actors are after in attempt to extort their victims. It helps to underline the importance of staying protected from such attacks. 

Here are shared tips on how to stay safe from ransomware, and these include: 

  • Backing up data 
  • Use security software and keep it up to date 
  • Practice safe surfing 
  • Only use secure networks 
  • Implement a security awareness program 

You can also run a cybersecurity scan on your website and networks to see how secure you are from the threats of ransomware and other malicious attacks.

How secure is

your business?

Security test

How secure is

your business?

Security test