#Privacy: CERT France warns of new ransomware gang targeting local governments

France’s cyber security agency has issued an alert regarding a new ransomware found targeting French local authorities. 

First spotted in October last year, the Mespinoza ransomware, also known as Pysa, encrypts victims data with the .locked extension added to the end of each file. Two months later, a new version of Pysa was detected, but using the .pysa file extension. 

Previously, Pysa targeted larger corporate networks in order to receive larger ransom payments, however CERT-FR has now reported that the threat actors behind Pysa are now targeting French local government authorities. 

The agency is still investigating how Pysa gains access to victims’ networks, however evidence has found that threat actors are launching brute force attacks on management directories and Active Directory accounts. 

These attacks are then followed by the exfiltration of the company’s account and password database. 

Victim organisations have reported observing unauthorised RDP connections to their domain controllers, and the deployments of Batch and PowerShell scripts. 

The Pysa gang has also been observed stopping several antivirus products, uninstalling Windows Defender in some cases, and even rolled out a version of the PowerShell Empire penetration test tool .

Currently, researchers have not found any weaknesses that could help victims to avoid paying ransom and decrypt the files for free. 

In an interview between Emsisoft malware analyst and ID-Ransomware creator Michael Gillespie and ZDNet, Gillespie added that victims are not just limited to France. Pysa has targeted many governments and business-related networks across multiple continents.


Catch the replays and discover the best talks from Last Thursday in Privacy, addressing data protection, privacy and security challenges including working from home, COVID-19, global regulations and more. Visit https://digital.privsec.info/.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.