Pierluigi Paganini March 19, 2020

CERT France is warning of a new wave of attacks using Pysa ransomware (Mespinoza) that is targeting local governments.

CERT France cyber-security agency is warning about a new wave of ransomware attack that is targeting the networks of local government authorities. Operators behind this campaign are spreading a new version of the Mespinoza ransomware (aka Pysa ransomware).

“The ANSSI was recently informed of computer attacks targeting in particular French local authorities. During these attacks, ransomware-type malicious codes were used, rendering certain files unusable. The origin of these attacks is unknown to date and analyzes are currently underway. However, ransomware attacks are generally carried out opportunistically by actors motivated by lucrative goals.” reads the issued by French CERT.

“The purpose of this document is to describe the operating mode used during these attacks and the associated compromise indicators, then to provide recommendations to limit the impact of this type of incident.”

According to the experts, the first infections were observed in late 2019, victims reported their files were encrypted by a strain of malware. The malicious code appended the extension .locked to the filename of the encrypted files.

The Mespinoza ransomware evolved over time, and in December a new version appeared in the threat landscape. This new version used the .pysa file extension that gives the name to this piece ransomware.

The variant was initially used to target big enterprises in the attempt of maximizing the operators’ efforts, but the alert issued by the French CERT warns that the Pysa ransomware is targeting French organizations, especially local government agencies.

CERT-FR’s alert states that the Pysa ransomware code based on public Python libraries.

According to the report issued by the CERT-FR, operators behind the Pysa ransomware launched brute-force attacks against management consoles and Active Directory accounts. Attackers were observed using batch and PowerShell scripts.

“Brute force connection attempts on a supervisory console have been observed, as well as on several ACTIVE DIRECTORY accounts. In addition, some domain administrator accounts have actually been compromised.” continues the alert. “

“The password database was leaked shortly before the attack. Illegitimate RDP connections have occurred between domain controllers using an unknown hostname potentially linked to the operating mode.” The “.bat” scripts used by the operating mode reveal an important use of the administration tool at distance PsExec, as well as the POWERSHELL scripting language.”

Once compromised the target network, attackers attempt to exfiltrate the company’s accounts and passwords database.

Operators behind the Pysa ransomware, also employed a version of the PowerShell Empire penetration-testing tool, they were able to stop antivirus products.

One of the incidents handled by CERT-FR sees the involvement of a new version of the Pysa ransomware, which used the .newversion file extension instead of .pysa.

“On one of the compromised information systems, experts found encrypted files with the extension “.newversion.” The code responsible for creating these files has not yet been identified. However, a ransom note named “ReadmeREAD” is present and contains the same PROTONMAIL
email addresses used in the previous attack. It is therefore likely that all these attacks were the work of the same mode.” continues the alert.
“Since Pysa Python source code contains a variable allowing to choose the extension of encrypted files, is also possible that the “.newversion” files were generated by another instance of Pysa.”

The bad news is that the Pysa ransomware currently hasn’t security flaws in the implementation of the encryption algorithms.

Pierluigi Paganini

(SecurityAffairs – Pysa ransomware, cybercrime)

[adrotate banner=”5″]

[adrotate banner=”13″]