The increase of ransomware attacks in France has drawn serious government attention. Due to the global fear of the deadly coronavirus in Europe, countries in continental Europe are said to be suffering a sharp rise in ransomware attacks at the same time. The country’s cybersecurity team, CERT-FR, first raised the alert for French ransomware attacks and figured out that ransomware attackers are targeting many local government networks. According to the cybersecurity team CERT-FR, the hacks are now rampant, and they are carried out using the Mespinoza ransomware strain.
According to research, the ransomware was first discovered last October when victims said that hackers not only encrypted the data but also added a lock extension to the end of each redeemed file. Two months later, researchers discovered a new version of Mespinoza ransomware that uses pysa as the file extension. Thus, researchers also name the ransomware as Pysa. In previous Mespinoza/Pysa infection cases, most of the victims were large corporate networks. It indicates that the attack activities organized behind this new type of ransomware were launched against large corporate networks because they tried to maximize the demand for ransom.
CERT-FR said that it is unclear to researchers how the Pysa gang gained access to the victim’s network to infect the victim’s system. However, some of the clues they left depict what could happen in some infected networks, such as evidence that the Pysa gang has launched brute force attacks on the management console and dynamic guidance accounts. Following these brute-force attacks on key accounts, the company’s account and password database were leaked. What’s more, unauthorized RDP was found to be connected to a controller in the company’s domain, and that Batch and PowerShell scripts were deployed. In addition, the Pysa organization also deployed the PowerShell Empire penetration testing tool to stop various anti-virus products and even forcibly uninstalled the Windows Defender defense software in some cases.
In addition to France, Canada has experienced a similar rise in ransomware attacks. Mainly due to the fact that several governments are busy fighting and trying to contain a coronavirus pandemic. Governments’ concerns over controlling viruses have led to a sharp rise in ransomware attacks. According to reports, hackers have been confirmed to take advantage of the fear of coronaviruses to send victims emails with hopeful cures and vaccines. Once the victims opened the messages, the data of the device was locked. Currently, Pysa attacks are not limited to France as Pysa ransomware gangs attacked multiple continents and hit multiple governments as well as business-related networks. Therefore, cybersecurity personnel in organizations should be more vigilant.
LIFARS’ Ransomware Response and Threat Intelligence Solution can help mitigate the risks of ransomware and refine the security posture of your organization in a swift manner during the time of an incident. We will provide a fast and effective response that can help minimize the damage and cost associated with ransomware and cyber extortion attacks:
- Assess recovery options/recommendations based on the sensitivity/importance of data that is locked and the identification of specific ransomware.
- Recover private keys from recorded network conversations (provided client has a network recorder) and decrypt files without paying ransomware.
- Determine whether to kill the process on all systems if it is still running or let encryption finish if paying the ransom is the only remaining option.