Researchers at the NCC Group reported that PYSA and Lockbit were the most active ransomware gangs in the November 2021 threat landscape.
A security researcher at the NCC Group reported an increase in ransomware attacks in November 2021 over the past month, Paisa (aka mespinoza) and lockbit It was the most active ransomware gang.
Experts observed a 400% increase in the number of attacks against government agencies compared to October.
The PYSA ransomware group (aka Mespinoza) recorded a 50% increase in November. PYSA ransomware operators focus on large-scale or high-value financial, government and healthcare organizations.
The FBI last March issue an alarm to warn of an increase PYSA ransomware Attacks on educational institutions in the US and UK.
March 2020 CERT French Cybersecurity Agency warning Describes a new ransomware attack targeting local government agencies’ networks. The operator behind the attack was distributing a new version of Mespinoza ransomware (also known as Pysa ransomware).
According to experts, the first infections were observed at the end of 2019 and victims reported that their files had been encrypted by malware. The malware has an extension of .immersed as the filename of the encrypted file
The Mespinoza ransomware has evolved over time and a new version appeared in the threat landscape in December. This new version .pisa The file extension that gives this piece of ransomware its name.
Although this variant initially targeted large enterprises to maximize operator effort, an alert issued by the French CERT warns that the Pysa ransomware is targeting French organizations, particularly local government agencies.
According to CERT-FR’s warning, the Pysa ransomware code is based on an open Python library.
According to a report published by CERT-FR, the operator behind the Pysa ransomware launched a brute force attack against the management console and Active Directory accounts.
If the target network is compromised, the attacker attempts to steal corporate account and password databases. The operator behind the Pysa malware also used the following version: powershell Empire penetration testing tools, they were able to block antivirus products.
One of the cases handled by CERT-FR was the .new version Instead, change the file extension to .pisa.
Beginning in September, PYSA ransomware operators began targeting Linux systems as well.
“The NCC Group’s Strategic Threat Intelligence team identified PYSA and Lockbit as the dominant threat actors in the ransomware landscape in November. Conti and Lockbit have been the main threat groups since August of this year, but in November PYSA, also known as Mespinoza, increased by 50%, overtaking Conti. Meanwhile, the prevalence of Conti decreased by 9.1%.” To read report Published by NCC Group. “PYSA is malware that can extract data and encrypt users’ sensitive files and data, and is typically targeted at large or high-value financial, government and healthcare organizations.
North America and Europe were the most targeted regions in November with 154 and 96 victims, respectively, according to the NCC group, with the most ransomware infections observed in Europe, the UK and France, Italy and Germany.
The total number of ransomware attacks in November increased by 1.9% compared to October.
“The industrial sector continued to be the most targeted sector in November. Meanwhile, the automotive, housing, entertainment and retail businesses overtook technology this month, with attacks against those sectors down 38.1%.” Continue the report.
Experts also analyzed the activity of the Russian-speaking Everest ransomware group, which was found to provide paid access to victims’ infrastructure.
NCC Group’s Strategic Threat Intelligence Team also Log4Shell Vulnerabilities disclosed in December.
Follow me on Twitter: @securityaffairs and Facebook
Pierluigi Paganini
International Editor-in-Chief
Cyber Defense Magazine