A new variant of Pysa ransomware is infecting French governments

France claims that Pysa (Mespinoza) malware has already hit some local networks

A new variant of Pysa ransomware is infecting French governmentsPysa ransomware is the new version of Mespinoza ransomware that locks files with the .pysa extension

Mespinoza ransomware was first spotted by a cybersecurity researcher named Amigo-A who announced his findings on Twitter on October 25th, 2019.[1] When this malicious piece of software first showed up, it locked files by using a unique cipher, adding the .locked appendix to each filename, and displaying the Readme.README ransom note which included the crooks' email address – mespinoza980@protonmail.com where victims were supposed to write if they wanted to get their data back.

About two months later, the second version of Mespinoza ransomware was detected encrypting files with the .pysa extension and this is how the malware earned another name – Pysa. In the past, Pysa (Mespinoza) ransomware was targeting worldwide companies to provide huge ransom demands and receive illegal monetary income. Since then, some things have changed and the main victims of the new Pysa ransomware version are French local government authorities.

The encryption process of Mespinoza ransomware has been listed as “specific and very short”

Investigators from the CERT-FR team[2] in France were the ones to analyze this malware strain. The researchers took a deep look into the encryption algorithm that was employed by Mespinoza and found no vulnerabilities or bugs that could help the victim to avoid ransom payments and still recover their files. It appears that the encryption cipher used is a solid and organized one that can allow criminals to benefit from their victims.

Furthermore, the CERT-FR team discovered that the malicious code was created by Python programming language[3] and also is “specific and very short”. What is more, the creators of Pysa ransomware creators were found deploying a variant of the PowerShell Empire penetration-testing tool. The malware itself was also discovered capable of disabling antimalware products and deleting Windows Defender in some particular cases.

Nevertheless, cybersecurity researchers have detected even a newer variant of Pysa ransomware that adds the .newversion appendix to each encrypted component. Even though this version is not the one responsible for attacking the French government, it still can be dangerous for other organizations and firms.

However, it remains unclear how Pysa ransomware reaches its targeted victims. Still, some speculations say that the malware uses a brute-force technique via Active Directory accounts and management consoles to enter the systems. Some victimized companies claimed that they have experienced an unknown connection to their RDPs and saw that PowerShell scripts and Batch were employed for the process.

Regular users should be aware of ransomware infections too

Even if you do not run a big company or belong to your local government, you are still likely to become a victim of cybercriminals who employ ransomware viruses for their own illegitimate goals. We strongly recommend installing a trustworthy antivirus product[4] that will provide you with alerts when something sneaky is going one. Furthermore, do not download software cracks from pirating networks as they can often come filled with malware. Additionally, if you receive any spam email and bogus attachments, do not open the clipped file without performing an antimalware scan on it.

However, if you are truly running a big organization, you should make sure that all of your systems are properly secured and all of your employees are aware of the possible malware attacks that can approach if they do not take safety measures seriously. Note that Pysa ransomware is definitely not the only wide-spread malware and you have chances of getting attacked by other well-known parasites such as Sodinokibi, Ryuk,[5] Maze, DoppelPaymer, etc.

About the author
Gabriel E. Hall
Gabriel E. Hall - Passionate web researcher

Gabriel E. Hall is a passionate malware researcher who has been working for 2-spyware for almost a decade.

Contact Gabriel E. Hall
About the company Esolutions

References
Files
Software
Compare