Attackers Scan Your Network for These Folder Names

by | Sep/2/2021

Attackers Scan Your Network for These Folder Names

Once attackers gain access to a network, before they make themselves known, they explore your files to

  • Locate cyber insurance policies to determine what your coverage limits are.
  • Find financial statements to determine how much ransom you can afford to pay.
  • Look for the most sensitive files they can download and threaten to release if you do not pay them.
  • And watch to see if you’ve discovered, or suspect, that they’ve gained access to your compute

Do you have folder names that contain these letters in a row?

bank
Bank*Statement
budget
HR
Insurance
IRS
password
SSN

See below for the complete list of 123 groups of characters.

The security group MalwareHunterTeam obtained the Pysa ransomware operation’s attack script and shared the list with Bleeping Computer.

Hopefully, we don’t reach a point of needing to name folders, not using descriptive names, but the names of sections of parking lots at major amusement parks. A better strategy is to do everything possible to prevent the attackers’ access. Rather than terrify you, use any concern you feel to redouble your efforts to implement robust cybersecurity controls, including but not limited to:

  • Utilize application control features of operating systems. Consider Microsoft AppLocker but consider keeping the implementation less complex by not verifying hashes.
  • Apply critical security updates to operating systems, applications, and infrastructure devices such as firewalls.
  • Eliminate local administrative rights for all users.
  • Have both online and offline backups. Offline backups are disconnected from your network so that if an attacker gets into your network, they cannot alter your backups.
  • Even though it can be a monumental task, practice a complete system restore into a test environment so you can rest more confidently that you can get your data back in the event it is encrypted during a ransomware attack.
  • Use a two-step login feature for online programs, VPNs, and remote desktop connections.
    If you still have a local Exchange server, migrate it to Office 365 ASAP. Exchange mail servers are the target of successful attacks.

Please communicate with your IT professionals and support them by providing time to focus on implementing security controls. Help them with automation and delegation of daily tasks.

Please forward this to your friends, so they see this example and appreciate the level of sophistication of ransomware tools.

Here’s a full list of text the ransomware program will look for automatically in your folder names:

941
1040
1099
8822
9465
401K
4506-T
ABRH
Addres
agreem
Agreement Disclosure
ARH
Assignment
Audit
balanc
bank
Bank Statement
Benef
billing
Brok
budget
bureau
card
cash
CDA
checking
claim
clandestine
compilation
compromate
concealed
confid
confident
Confidential Disclosure
contact
contr
CPF
CRH
Crime
DDRH
Demog
Detail
Disclosure Agreement
Disclosure Confidential
DRH
emplo
Enrol
federal
Finan
finance
Form
fraud
government
hidden
hir
HR
Human
i-9
illegal
important
Info
insider
Insurance
investigation
IRS
ITIN
K-1
letter
List
Login
mail
NDA
Numb
Partn
passport
passwd
password
pay
payment
payroll
person
Phone
privacy
privat
pwd
Recursos Humanos
report
Resour
resurses human
RHO
routing
RRHH
saving
scans
sec
secret
security
seed
Signed
sin
soc
SS-4
SS#
SSA
SSN
Staf
statement
Statement Bank
studen
SWIFT
tax
Taxpayer
Terror
Transact
unclassified
Vend
W-2
w-4
W-7
W-8BEN
w-9
W-9S

Source of the list of filenames, used with permission: https://www.bleepingcomputer.com/news/security/ransomware-gangs-script-shows-exactly-the-files-theyre-after from https://twitter.com/malwrhunterteam