PYSA ransomware gang is the most active group in November

PYSA and Lockbit were the most active ransomware gangs in the threat landscape in November 2021, researchers from NCC Group report.

Security researchers from NCC Group reported an increase in ransomware attacks in November 2021 over the past month, and PYSA (aka Mespinoza) and Lockbit were the most active ransomware gangs.

Experts observed a 400% increase in the number of attacks, compared with October, that hit government organizations.

The PYSA ransomware group (aka Mespinoza) recorded an increase of 50% in November. PYSA ransomware operators focus on large or high-value finance, government and healthcare organisations.

In March, the FBI issued an alert to warn about an increase in PYSA ransomware attacks against education institutions in the United States and the United Kingdom.

In March 2020, CERT France cyber-security agency warned about a new wave of ransomware attack that was targeting the networks of local government authorities. Operators behind the attacks were spreading a new version of the Mespinoza ransomware (aka Pysa ransomware).

According to the experts, the first infections were observed in late 2019, victims reported their files were encrypted by a strain of malware. The malicious code appended the extension .locked to the filename of the encrypted files.

The Mespinoza ransomware evolved over time, and in December a new version appeared in the threat landscape. This new version used the .pysa file extension that gives the name to this piece ransomware.

The variant was initially used to target big enterprises in the attempt of maximizing the operators’ efforts, but the alert issued by the French CERT warns that the Pysa ransomware is targeting French organizations, especially local government agencies.

CERT-FR’s alert states that the Pysa ransomware code is based on public Python libraries.

According to the report issued by the CERT-FR, operators behind the Pysa ransomware launched brute-force attacks against management consoles and Active Directory accounts.

Once compromised the target network, attackers attempt to exfiltrate the company’s accounts and passwords database. Operators behind the Pysa malware, also employed a version of the PowerShell Empire penetration-testing tool, they were able to stop antivirus products.

One of the incidents handled by CERT-FR sees the involvement of a new version of the Pysa ransomware, which used the .newversion file extension instead of .pysa.

Starting from September, PYSA ransomware operators started targeting also Linux systems.

“NCC Group’s Strategic Threat Intelligence team has identified PYSA and Lockbit as the threat actors dominating the ransomware landscape in November. Since August this year, Conti and Lockbit have been the top threat groups, but in November, PYSA, also known as Mespinoza, overtook Conti with an increase of 50%. Meanwhile, the prevalence of Conti decreased by 9.1%.” reads the report published by NCC Group. “PYSA is a malware capable of exfiltrating data and encrypting users’ critical files and data, which typically targets large or high-value finance, government and healthcare organisations.

According to NCC Group, North America and Europe continued to be the most targeted regions in November, with 154 and 96 victims respectively, while in Europe, most of the ransomware infections were observed in the UK and France, with Italy and Germany 

The overall number of ransomware attacks increased by 1.9% in November compared to October.

“The industrials sector continued to be the most targeted sector in November. Meanwhile,automotive, housing, entertainment, and retail businesses overtook technology this month, with attacks targeting the sector decreasing by 38.1%.” continues the report.

The experts also analyzed the activity of the Russian-speaking Everest ransomware group that was spotted offering paid access to their victims’ infrastructure.

NCC Group’s Strategic Threat Intelligence team also states that is closely monitoring exploitation of the Log4Shell vulnerability, disclosed in December. 

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, PYSA)

[adrotate banner=”5″]

[adrotate banner=”13″]