According to the security team, the criminals attack, using one new version of Mespinoza ransomware, known as Pysa ransomware.
A new version of Mespinoza was detected two months later, in December 2019. This time, the ransomware was placing the .pysa extension in the encrypted files. For this reason, it is also known as Pysa.
In these attacks, most of the victims were Companies. This suggests that the team behind this new ransomware aimed mainly at large corporations networks, obviously to be able to ask for more money for ransom.
We do not know how ransomware gang infects its victims
For example, CERT-FR stated that there is evidence to suggest that the Pysa gang begins with brute-force attacks on management consoles and Active Directory accounts.
The victims also reported seeing unauthorized RDP connections to domain controllers.
CERT-FR said it also found a new file extension. Instead of .pysa, ransomware was installing the extension .newversion.
Researchers said they analyzed ransomware and encryption algorithms, but failed to find any errors that would allow them to victims bypass payment of ransom and decrypt their files for free.
According to CERT-FR, the Pysa ransomware code is "specific and very short" and "based on public Python libraries".
However, the attacks are not limited to France alone. Researchers security they revealed that the ransomware gang targets both business and government networks around the world.
Mespinoza / Pysa is the latest ransomware gang to deal with “Big game hunting” ή "Human-operated ransomware". This means that the gangs are targeting Companies "High profile", infringe on their networks and then install ransomware on their networks.