PYSA Emerges as Top Ransomware Actor in November

PYSA, which is also known by Mespinoza, has overtaken Conti as the top ransomware threat group for the month of November. It joined Lockbit, which has dominated the space since August.

According to NCC Group’s November insights on the ransomware sector, PYSA increased its market share with a 50 percent rise in the number of targeted organizations, which includes a 400 percent spike in attacks against government-sector systems.

Double-Extortion and Beyond

PYSA regularly uses double-extortion against its targets, both exfiltrating and encrypting the data, then threatening to publish the data publicly if the victim doesn’t pay the ransom.

Last March, the FBI sent out a special alert about PYSA’s focus on the education sector, warning schools to be on alert for phishing lures and brute-force Remote Desktop Protocol attacks as initial-access techniques.

“In previous incidents, cyber-actors exfiltrated employment records that contained personally identifiable information (PII), payroll tax information and other data that could be used to extort victims to pay a ransom,” the FBI warned.

Everest Switches Up Tactics to Sell Initial Access

Russian-language ransomware group Everest is taking its extortion tactics to another level, threatening to sell off access to targeted systems if their demands aren’t met, NCC Group added.

“In November, the group offered paid access to the IT infrastructure of their victims, as well as threatening to release stolen data if the victim refused to pay a ransom,” NCC Group reported. “This included data related to the Argentine government, Peru’s Ministry of Economy and Finance, and the Brazilian Police.”

In some instances, Everest would skip demanding ransom altogether and go straight to selling access, NCC Group reported. The analysts are watching to see if this sparks a new trend among other groups.

“While selling ransomware-as-a-service has seen a surge in popularity over the last year, this is a rare instance of a group forgoing a request for a ransom and offering access to IT infrastructure – but we may see copycat attacks in 2022 and beyond,” the report said.

North America and Europe are the regions with the most attacks, NCC Group added.

Conti on the Comeback

Meanwhile, the prevalence of Russian-language group Conti decreased by 9.1 percent. But that’s likely to get made up in December with the announcement that the threat group was the first professional ransomware attacker to come up with a full weaponized attack chain against the Log4Shell vulnerability.

Conti’s advantage, according to an AdvIntel report from last week, is its size: The group “plays a special role in today’s threat landscape, primarily due to its scale.”

Check out our free upcoming live and on-demand online town halls – unique, dynamic discussions with cybersecurity experts and the Threatpost community.