[BreachExchange] Hackney Council data leaked by Pysa ransomware gang

[Destry Winant]

https://www.computerweekly.com/news/252494466/Hackney-Council-data-leaked-by-Pysa-ransomware-gang

The cyber criminal gang behind the Pysa, or Mespinoza, ransomware
strain has claimed responsibility for the 2020 cyber attack on Hackney
Council in London and has begun to publish the data it stole to its
dark web site as part of a so-called double extortion attack.

Preventing identity theft in a data breach

The data dump, screengrabs of which have been shared with Computer
Weekly by threat researchers, appears to contain a significant amount
of personally identifiable information including, but not limited to,
passport data, scans of tenancy audit documents for public housing
tenants, staff data, and information on community safety.

The council said its initial investigations led it to believe that the
leaked data set was limited in its scope and that the vast majority of
the sensitive or personal data it held was unaffected. It is working
closely with the National Cyber Security Centre, the National Crime
Agency, the Information Commissioner’s Office, the Metropolitan Police
and private sector security experts to establish what has been
published.

Hackney mayor Philip Glanville said: “It is utterly deplorable that
organised criminals chose last year to deliberately attack Hackney,
damaging services and stealing from our borough, our staff and our
residents in this way, and all while we were in the middle of
responding to a global pandemic.

“Now, four months on, at the start of a new year and as we are all
responding to the second wave, they have decided to compound that
attack and now release stolen data. Working with our partners, we will
do everything we can to help bring them to justice.

“I fully understand and share the concern of residents and staff about
any risk to their personal data, and we are working as quickly as
possible with our partners to assess the data and take action,
including informing people who are affected.”

Glanville added: “While we believe this publication will not directly
affect the vast majority of Hackney’s residents and businesses, that
can feel like cold comfort, and we are sorry for the worry and upset
this will cause them.

“We are already working closely with the police and other partners to
assess any immediate actions we need to take, and will share further
information about the additional action we will be taking as soon as
we can.”

The initial attack unfolded in October 2020 and drew immediate
speculation from experts and observers that ransomware was involved.
Nearly four months later, a significant number of services remain
disrupted – a full list is available from the council. There is, as
yet, no apparent timeline for when Hackney Council will be able to
restore its services.

Pysa was first noted in late 2019 as a new variant of Mespinoza, and
is so-called because it appends the extension .pysa to the files it
encrypts. The gang is notable for leaving lengthy delays between its
initial compromises and its data leaks.

It is not entirely clear how the gang delivers its ransomware payload,
although guidance suggests it probably uses brute force attacks on
exposed Active Directory services, or via spam and phishing campaigns.
Once delivered, it seeks out sensitive information before encrypting
all accessible non-system files using an AES implementation with
RSA-encrypted keys.

As reported by Computer Weekly’s sister title LeMagIT, Pysa has been
particularly well used against local authorities in France. Indeed,
the data from Hackney appeared alongside the data of about 30 other
victims, including digital services business Econocom.