Pysa Operators Join ‘Big-Game Hunting’ by Releasing New Version of Ransomware

  • CERT France has issued an alert about a new version of the Pysa ransomware that has targeted several local governments.
  • The Pysa ransomware gang is believed to launch brute-force attacks against management consoles and Active Directory accounts.

Pysa (or Mespinoza) has become the latest ransomware to join ‘big-game hunting’ - where ransomware gangs target high-profile businesses and manually install ransomware on their networks. 

Recently, CERT France has issued an alert about a new version of the Pysa ransomware that has targeted several local governments.

What does the alert say?
The alert, issued by France’s CERT team, points to a rising number of attacks carried out with a new version of the Mespionaz ransomware. This ransomware was first spotted in October 2019. At that time, it used the .locked extension at the end of each encrypted file.

Later, in December 2019, a new version of Mespinoza was spotted that used the .pysa file extension.  

In the recent attack detected by CERT-FR, it has been found that the operators are using a newer version of the ransomware, which uses the .newversion file extension.

It is unclear as to how the gang is gaining access to victims’ networks. However, forensic clue suggests that the gang launches brute-force attacks against management consoles and Active Directory accounts. 

There are some victim organizations that reported unauthorized RDP connections to their domain controllers and the deployment of Batch and PowerShell scripts. 

How widespread is the ransomware?
ZDNet reports that the Pysa ransomware gang has also claimed victims outside France, hitting both government and business-related networks. It is believed that Pysa can become the next significant ransomware like Ryuk, LockerGoga, DopplePaymer, and Maze when it comes to expanding its attack surface.