The Hacker News reports that the PYSA ransomware operation has focused on bolstering workflow efficiency through tools, including a seemingly full-text search engine for metadata extraction and immediate victim data discovery and access, which have allowed successful attacks against up to 747 victims before being dismantled in January.
PYSA has been "known to carefully research high-value targets before launching its attacks, compromising enterprise systems and forcing organizations to pay large ransoms to restore their data," said a report from Switzerland-based cybersecurity firm PRODAFT
Researchers discovered that at least 11 accounts were behind the operation, four of which accounted for more than 90% of the group's malicious activity. Dockerized containers with public leak servers, management servers, and an Amazon S3 cloud for encrypted file storage, have also been discovered in the PYSA infrastructure. However, PYSA members have been observed to commit operational security errors enabling the identification of a hidden service within the TOR network, which shed more light on its tactics.
"The group is supported by competent developers who apply modern operational paradigms to the group's development cycle. It suggests a professional environment with well-organized division of responsibilities, rather than a loose network of semi-autonomous threat actors," said researchers.