Ransomware soars 2% in November, Mespinoza’s government grows 400%

by D. Howard Kass • 23 dec. 2021

Ransomware attacks worldwide increased sequentially by nearly 2% in November 2021, as organizations in North America and Europe remained hot spots for hackers, according to a new report.

In the NCC Group monthly Threat Pulse Report, its threat intelligence unit identified PYSA and Lockbit as the threat actors dominating the ransomware landscape in November, succeeding Conti and Lockbit, which had been the top teams since August 2021. PYSA, also known as Mespinoza, overtook Conti with a 50 percent increase, as the latter’s prevalence fell to just over nine percent.

What is PYSA Ransomware?

The PYSA malware, which was first spotted in the wild at the end of 2019, most often targets big fish, including financial institutions, governments, and healthcare organizations, not only by encrypting files and data, but also exfiltrate sensitive information. As a result, NCC identified 314 victims of double-extortion ransomware globally in November, an increase of 65% from the previous two months. Here are some other highlights of CNC research:

• 50% increase in the number of organizations targeted by the PYSA ransomware with a 400% increase in the number of victims in the public sector.
• North America and Europe remained the most targeted regions in November, with 154 and 96 victims respectively. In North America, organizations based in the United States were affected by 140 of the attacks, with the remainder taking place in Canada.
• In Europe, the most targeted countries were the United Kingdom and France, with Italy and Germany sharing third place. Each of these countries experienced 32, 14 and 11 attacks respectively in November.
• Industrial products continued to be the most targeted sector. Auto, housing, entertainment and retail companies have outgrown technology, with attacks on this sector declining by about 38%.
• After a 10-month hiatus following a law enforcement withdrawal, the notorious Emotet malware returned. TrickBot is used as an entry point to deploy a new version to previously infected systems.

Groupe Everest: a growing threat?

It should be noted that a new Russian-speaking cyber union, the Everest Group, offers paid access to the IT infrastructure of its victims and also threatens to disclose the stolen data if the ransom payment is refused. Targets include the Argentine government, Peru’s Ministry of Economy and Finance, and Brazilian police.

“Although the sale of ransomware as a service has seen an increase in popularity over the past year, this is a rare case where a group has waived a ransom note and offered access to IT infrastructure, ”NCC said of Everest. There could be more crews like this in 2022, the security unit said.

NCC also said it is monitoring the exploitation of the Log4Shell vulnerability disclosed earlier this month.