France Warns Of New Ransomware Gang Targeting Local Governments

france-warns-of-cyberattacks-against-ser-5d9f445eb93c140001af244c-1-oct-15-2019-13-47-03-poster.jpg

France's cyber-security agency issued an alert this week warning about a new ransomware gang that's been recently seen targeting the networks of local government authorities.

The alert, issued by France's CERT team, points to a rising number of attacks carried out with a new version of the Mespinoza ransomware strain, also known as the Pysa ransomware.

This ransomware strain was first spotted making victims last year, in October 2019. According to reports at the time, victims reported having data encrypted with the .locked extension added at the end of each ransomed file.

A new Mespinoza version was spotted two months later, in December 2019. This one used the .pysa file extension, which explains the second Pysa name under which this ransomware is sometimes referred to.

In previous cases of Mespinoza/Pysa infections, most of the victims were companies, suggesting that the group behind this new ransomware was specifically targeting large corporate networks in an attempt to maximize ransom demands and inherently its profits.

Now, CERT-FR says the Pysa gang has moved to target French organizations, with the agency receiving reports of multiple infections.

Unclear how the Pysa gang is infecting victims

CERT-FR said it is still investigating how the Pysa gang is gaining access to victim's networks. However, forensics clues left behind paint a picture of what could have happened on some of the infected/ransomed networks.

For example, CERT-FR said there was evidence suggesting that the Pysa gang launched brute-force attacks against management consoles and Active Directory accounts.

These brute-force attacks were followed by the exfiltration of a company's accounts & passwords database.

Victim organizations also reported seeing unauthorized RDP connections to their domain controllers, and the deployment of Batch and PowerShell scripts.

Furthermore, the Pysa gang also deployed a version of the PowerShell Empire penetration-testing tool, stopped various antivirus products, and even uninstalled Windows Defender in some instances.

CERT-FR says that in at least one case they analyzed, they also found a new version of the Pysa ransomware, which used the .newversion file extension instead of the older .pysa.

No encryption weaknesses

Investigators said they also analyzed the ransomware and its encryption algorithms, and they weren't able to find any implementation flaws that could permit victims to bypass the ransom payment and decrypt files for free.

According to CERT-FR, the Pysa ransomware code is "specific and very short" and "based on public Python libraries."

But attacks with Pysa aren't only limited to France. In an interview with ZDNet about this new ransomware gang, Emsisoft malware analyst and ID-Ransomware creator Michael Gillespie said the Pysa ransomware gang has also made victims outside France, across multiple continents, hitting both government and business-related networks.

The CERT-FR Mespinoza/Pysa alert is available here [in French only]. CERT-FR often translates its alerts into English after a few days. We'll update this article with a link to the English alert when available.

Latest big-game hunter

Mespinoza/Pysa is the latest ransomware gang that engages in a tactic called "big game hunting" or "human-operated ransomware" -- where ransomware gangs target high-profile targets, breach their networks, and then manually install ransomware on their networks.

This very focused targeting tactic is in stark contrast with the shotgun approach that has been used by ransomware gangs in the past, in the 2015 - early 2019 period, when they heavily relied on exploit kits and email spam to infect random victims.

Other ransomware gangs that engage in targeted "big-game hunting" include Ryuk, REvil (Sodinokibi), LockerGoga, RobbinHood, DoppelPaymer, Maze, and many more others.

RECENT NEWS

Reassessing AI Investments: What The Correction In US Megacap Tech Stocks Signals

The recent correction in US megacap tech stocks, including giants like Nvidia, Tesla, Meta, and Alphabet, has sent rippl... Read more

AI Hype Meets Reality: Assessing The Impact Of Stock Declines On Future Tech Investments

Recent declines in the stock prices of major tech companies such as Nvidia, Tesla, Meta, and Alphabet have highlighted a... Read more

Technology Sector Fuels U.S. Economic Growth In Q2

The technology sector played a pivotal role in accelerating America's economic growth in the second quarter of 2024.The ... Read more

Tech Start-Ups Advised To Guard Against Foreign Investment Risks

The US National Counterintelligence and Security Center (NCSC) has advised American tech start-ups to be wary of foreign... Read more

Global IT Outage Threatens To Cost Insurers Billions

Largest disruption since 2017’s NotPetya malware attack highlights vulnerabilities.A recent global IT outage has cause... Read more

Global IT Outage Disrupts Airlines, Financial Services, And Media Groups

On Friday morning, a major IT outage caused widespread disruption across various sectors, including airlines, financial ... Read more