Pysa ransomware actors publish stolen Hackney Council data

Operators of the Pysa (or Mespinoza) ransomware have published data stolen from Hackney Council on a dark web forum, months after targeting the council with a cyber attack that disrupted online services and rendered IT systems inoperable.

In October, Philip Glanville, the Mayor of Hackney, said in a statement that Hackney Council suffered a cyber attack and that the authority was trying to restore affected services as soon as possible while also delivering essential frontline services, especially to the most vulnerable citizens.

"Council officers have been working closely with the National Cyber Security Centre, external experts, and the Ministry of Housing, Communities and Local Government to investigate and understand the impact of the incident. This investigation is at an early stage, and limited information is currently available. We will continue to provide updates as our investigation progresses.

"In the meantime, some Council services may be unavailable or slower than normal, and our call centre is extremely busy. We ask that residents and businesses only contact us if absolutely necessary, and to bear with us while we seek to resolve these issues," he said.

According to Sky News, operators of the Pysa ransomware, also known as Mespinoza, have published a large trove of data on a dark web forum that they claim to have stolen from Hackney Council. The stolen data includes "very sensitive information" such as passport details, staff data, and photo IDs.

While not much is known about the Pysa ransomware, CERT-France said in an alert last year that the ransomware was used in several cyber attacks on French local authorities and targeted interconnected information systems. Operators of the ransomware are also known to have conducted brute-force attacks against management consoles and Active Directory accounts.

CERT-FR said that prior to deploying the Pysa ransomware, cyber criminals compromised domain administrator accounts via brute-force attacks, established illegitimate RDP connections between domain controllers, used Mimikatz samples to gain access to credentials, and used network reconnaissance tools Advanced Port Scanner and Advanced IP Scanner to surveil targeted networks.

"The Mespinoza ransomware was first used in October 2018 at least. The first versions produced encrypted files carrying the « .locked » extension, common to many ransomwares. Since December 2019, a new version of Mespinoza is documented in open sources. This version is often called Pysa because it produces encrypted files with the « .pysa » extension," CERT-FR added.

Following the publication of stolen data by Pysa ransomware operators, a spokesperson for Hackney Council told Sky News that "[the council] are angry and disappointed that the organised criminals responsible for October's cyberattack have chosen to publish data stolen in October.

"We are working with the NCSC, National Crime Agency, Information Commissioner's Office, the Metropolitan Police and other experts to investigate what has been published and take immediate action where necessary. We understand and share the concern of residents about any risk to their personal data, and we are working as quickly as possible with our partners to assess the data and take action, including informing people who are affected.

"It is utterly deplorable that criminals first chose to attack and steal from a local authority and its residents in this way in the middle of responding to a global pandemic, and we will do everything we can to help bring them to justice.

"Our initial analysis suggests that the vast majority of sensitive or personal information we hold has not been published or affected, and this limited set of data has not been published on a widely available public forum, and is not visible through search engines on the Internet.

"While we believe this publication will not directly affect the vast majority of Hackney's residents and businesses, we are sorry for the worry and upset this will cause them. We will share more information as soon as we can," the spokesperson added.

Copyright Lyonsdown Limited 2020