Attackers Scan Your Network for These Folder Names
Once attackers gain access to a network, before they make themselves known, they explore your files to
- Locate cyber insurance policies to determine what your coverage limits are.
- Find financial statements to determine how much ransom you can afford to pay.
- Look for the most sensitive files they can download and threaten to release if you do not pay them.
- And watch to see if you’ve discovered, or suspect, that they’ve gained access to your compute
Do you have folder names that contain these letters in a row?
See below for the complete list of 123 groups of characters.
The security group MalwareHunterTeam obtained the Pysa ransomware operation’s attack script and shared the list with Bleeping Computer.
Hopefully, we don’t reach a point of needing to name folders, not using descriptive names, but the names of sections of parking lots at major amusement parks. A better strategy is to do everything possible to prevent the attackers’ access. Rather than terrify you, use any concern you feel to redouble your efforts to implement robust cybersecurity controls, including but not limited to:
- Utilize application control features of operating systems. Consider Microsoft AppLocker but consider keeping the implementation less complex by not verifying hashes.
- Apply critical security updates to operating systems, applications, and infrastructure devices such as firewalls.
- Eliminate local administrative rights for all users.
- Have both online and offline backups. Offline backups are disconnected from your network so that if an attacker gets into your network, they cannot alter your backups.
- Even though it can be a monumental task, practice a complete system restore into a test environment so you can rest more confidently that you can get your data back in the event it is encrypted during a ransomware attack.
- Use a two-step login feature for online programs, VPNs, and remote desktop connections.
If you still have a local Exchange server, migrate it to Office 365 ASAP. Exchange mail servers are the target of successful attacks.
Please communicate with your IT professionals and support them by providing time to focus on implementing security controls. Help them with automation and delegation of daily tasks.
Please forward this to your friends, so they see this example and appreciate the level of sophistication of ransomware tools.
Here’s a full list of text the ransomware program will look for automatically in your folder names:
Source of the list of filenames, used with permission: https://www.bleepingcomputer.com/news/security/ransomware-gangs-script-shows-exactly-the-files-theyre-after from https://twitter.com/malwrhunterteam