The cyber criminal gang behind the Pysa, or Mespinoza, ransomware strain has claimed responsibility for the 2020 cyber attack on Hackney Council in London and has begun to publish the data it stole to its dark web site as part of a so-called double extortion attack.
The data dump, screengrabs of which have been shared with Computer Weekly by threat researchers, appears to contain a significant amount of personally identifiable information including, but not limited to, passport data, scans of tenancy audit documents for public housing tenants, staff data, and information on community safety.
The council said its initial investigations led it to believe that the leaked data set was limited in its scope and that the vast majority of the sensitive or personal data it held was unaffected. It is working closely with the National Cyber Security Centre, the National Crime Agency, the Information Commissioner’s Office, the Metropolitan Police and private sector security experts to establish what has been published.
Hackney mayor Philip Glanville said: “It is utterly deplorable that organised criminals chose last year to deliberately attack Hackney, damaging services and stealing from our borough, our staff and our residents in this way, and all while we were in the middle of responding to a global pandemic.
“Now, four months on, at the start of a new year and as we are all responding to the second wave, they have decided to compound that attack and now release stolen data. Working with our partners, we will do everything we can to help bring them to justice.
“I fully understand and share the concern of residents and staff about any risk to their personal data, and we are working as quickly as possible with our partners to assess the data and take action, including informing people who are affected.”
Glanville added: “While we believe this publication will not directly affect the vast majority of Hackney’s residents and businesses, that can feel like cold comfort, and we are sorry for the worry and upset this will cause them.
“We are already working closely with the police and other partners to assess any immediate actions we need to take, and will share further information about the additional action we will be taking as soon as we can.”
The initial attack unfolded in October 2020 and drew immediate speculation from experts and observers that ransomware was involved. Nearly four months later, a significant number of services remain disrupted – a full list is available from the council. There is, as yet, no apparent timeline for when Hackney Council will be able to restore its services.
Pysa was first noted in late 2019 as a new variant of Mespinoza, and is so-called because it appends the extension .pysa to the files it encrypts. The gang is notable for leaving lengthy delays between its initial compromises and its data leaks.
It is not entirely clear how the gang delivers its ransomware payload, although guidance suggests it probably uses brute force attacks on exposed Active Directory services, or via spam and phishing campaigns. Once delivered, it seeks out sensitive information before encrypting all accessible non-system files using an AES implementation with RSA-encrypted keys.
As reported by Computer Weekly’s sister title LeMagIT, Pysa has been particularly well used against local authorities in France. Indeed, the data from Hackney appeared alongside the data of about 30 other victims, including digital services business Econocom.