“The ANSSI was recently informed of computer attacks targeting in particular French local authorities. During these attacks, ransomware-type malicious codes were used, rendering certain files unusable. The origin of these attacks is unknown to date and analyzes are currently underway. However, ransomware attacks are generally carried out
“The purpose of this document is to describe the operating mode used during these attacks and the associated compromise indicators, then to provide recommendations to limit the impact of this type of incident.”
According to the experts, the first infections were observed in late 2019, victims reported their files were encrypted by a strain of malware. The malicious code appended the extension
The Mespinoza ransomware evolved over time, and in December a new version appeared in the threat landscape. This new version used the
The variant was initially used to target big enterprises in the attempt of maximizing the operators’ efforts, but the alert issued by the French CERT warns that the Pysa ransomware is targeting French organizations, especially local government agencies.
CERT-FR’s alert states that the Pysa ransomware code based on public Python libraries.
According to the report issued by the CERT-FR, operators behind the
“Brute force connection attempts on a supervisory console have been observed, as well as on several ACTIVE DIRECTORY accounts. In addition, some domain administrator accounts have actually been compromised.” continues the alert. “
“The password database was leaked shortly before the attack. Illegitimate RDP connections have occurred between domain controllers using an unknown hostname potentially linked to the operating mode.” The “.bat” scripts used by the operating mode
Once compromised the target network, attackers attempt to
Operators behind the
One of the incidents handled by CERT-FR sees the involvement of a new version of the Pysa ransomware, which used the
“On one of the compromised information systems, experts found encrypted files with the extension “
“Since Pysa Python source code contains a variable allowing to choose the extension of encrypted files, is also possible that the “
The bad news is that the Pysa ransomware currently hasn’t security flaws in the implementation of the encryption algorithms.
(SecurityAffairs – Pysa ransomware, cybercrime)