PYSA ransomware gang is the most active group in November

December 22, 2021  By Pierluigi Paganini


PYSA and Lockbit were the most active ransomware gangs in the threat landscape in November 2021, researchers from NCC Group report.

Security researchers from NCC Group reported an increase in ransomware attacks in November 2021 over the past month, and PYSA (aka Mespinoza) and Lockbit were the most active ransomware gangs.

Experts observed a 400% increase in the number of attacks, compared with October, that hit government organizations.

The PYSA ransomware group (aka Mespinoza) recorded an increase of 50% in November. PYSA ransomware operators focus on large or high-value finance, government and healthcare organisations.

In March, the FBI issued an alert to warn about an increase in PYSA ransomware attacks against education institutions in the United States and the United Kingdom.

In March 2020, CERT France cyber-security agency warned about a new wave of ransomware attack that was targeting the networks of local government authorities. Operators behind the attacks were spreading a new version of the Mespinoza ransomware (aka Pysa ransomware).

According to the experts, the first infections were observed in late 2019, victims reported their files were encrypted by a strain of malware. The malicious code appended the extension .locked to the filename of the encrypted files.

The Mespinoza ransomware evolved over time, and in December a new version appeared in the threat landscape. This new version used the .pysa file extension that gives the name to this piece ransomware.

The variant was initially used to target big enterprises in the attempt of maximizing the operators’ efforts, but the alert issued by the French CERT warns that the Pysa ransomware is targeting French organizations, especially local government agencies.

CERT-FR’s alert states that the Pysa ransomware code is based on public Python libraries.

According to the report issued by the CERT-FR, operators behind the Pysa ransomware launched brute-force attacks against management consoles and Active Directory accounts.

Once compromised the target network, attackers attempt to exfiltrate the company’s accounts and passwords database. Operators behind the Pysa malware, also employed a version of the PowerShell Empire penetration-testing tool, they were able to stop antivirus products.

One of the incidents handled by CERT-FR sees the involvement of a new version of the Pysa ransomware, which used the .newversion file extension instead of .pysa.

Starting from September, PYSA ransomware operators started targeting also Linux systems.

“NCC Group’s Strategic Threat Intelligence team has identified PYSA and Lockbit as the threat actors dominating the ransomware landscape in November. Since August this year, Conti and Lockbit have been the top threat groups, but in November, PYSA, also known as Mespinoza, overtook Conti with an increase of 50%. Meanwhile, the prevalence of Conti decreased by 9.1%.” reads the report published by NCC Group. “PYSA is a malware capable of exfiltrating data and encrypting users’ critical files and data, which typically targets large or high-value finance, government and healthcare organisations.

According to NCC Group, North America and Europe continued to be the most targeted regions in November, with 154 and 96 victims respectively, while in Europe, most of the ransomware infections were observed in the UK and France, with Italy and Germany 

The overall number of ransomware attacks increased by 1.9% in November compared to October.

“The industrials sector continued to be the most targeted sector in November. Meanwhile,automotive, housing, entertainment, and retail businesses overtook technology this month, with attacks targeting the sector decreasing by 38.1%.” continues the report.

The experts also analyzed the activity of the Russian-speaking Everest ransomware group that was spotted offering paid access to their victims’ infrastructure.

NCC Group’s Strategic Threat Intelligence team also states that is closely monitoring exploitation of the Log4Shell vulnerability, disclosed in December. 

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, PYSA)

[adrotate banner=”5″]

[adrotate banner=”13″]



Pierluigi Paganini
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.





You might also like





  • Digging the Deep Web: Exploring the dark side of the web

    Digging The Deep Web

  • Center for Cyber Security and International Relations Studies

  • Subscribe Security Affairs Newsletter

    newsletter

  • SecurityAffairs awarded as Best European Cybersecurity Tech Blog at European Cybersecurity Blogger Awards

    EU Sec Bloggers Awards 22


More Story

A new version of the Abcbot bot targets Chinese cloud providers

 Researchers spotted a new botnet named Abcbot hat that mainly targeted Chinese cloud hosting providers over the past months. Security...