The relatively new Pysa ransomware was the dominant strain behind file-encrypting attacks in November and saw a 400% rise in attacks on government organizations, according to analysis by security company NCC Group.
Pysa is one of the ransomware gangs utilizing double extortion to pressure victims to pay an extortion demand and dumped leaks from 50 previously compromised organizations last month. Overall in November, the number of Pysa attacks increased 50%, which means it overtook Conti to the join Lockbit in the top two most common versions of the malware. Conti and Lockbit have been the dominant strains since August, according to NCC Group.
Inexplicably, Pysa leaks data from targets weeks or months after attempting to extort them. The large-scale data dump follows joint US and EU law enforcement action against some members of the REvil ransomware gang, who were behind the attack on IT vendor Kaseya.
Also known as Mespinoza, the Pysa gang seeks out evidence of crime among targets to use as leverage during typically multi-million dollar extortion negotiations.
The FBI started tracking Pysa activity in March 2020 in ransomware attacks against government, institutions, private, and healthcare sectors. The group often employs phishing techniques for credentials to compromise Remote Desktop Protocol (RDP) connections.
Pysa targets high-value finance, government and healthcare organizations, notes NCC Group.
Across all ransomware gangs, victims from North America reached the total 154 during the month, of which 140 were US organizations, while European victims numbered 96 in November. The industrials sector was the most targeted, while attacks on the technology sector decreased 38%.
NCC Group also spotlights a Russian-speaking ransomware gang called Everest Group that’s pushing new boundaries in double-extortion by not only threatening to leak files but providing their customers with access to victims’ IT infrastructure. Instead of pursuing a ransom, the group sells third-party access to the target’s network, creating a new way to monetize a compromised target. If it proves lucrative, this could become a trend next year, NCC Group warns.
“In November, the group offered paid access to the IT infrastructure of their victims, as well as threatening to release stolen data if the victim refused to pay a ransom,” it notes.
“While selling ransomware-as-a-service has seen a surge in popularity over the last year, this is a rare instance of a group forgoing a request for a ransom and offering access to IT infrastructure – but we may see copycat attacks in 2022 and beyond.”