The Pysa ransomware group dumped dozens of victims onto their leak site this week right after US law enforcement officials announced a range of actions taken against ransomware groups.
More than 50 companies, universities, and organizations had their names added to the ransomware group’s leak site.
The group, which also goes by the name Mespinoza, was called out by the FBI in March for specifically targeting “higher education, K-12 schools, and seminaries.” The FBI said at least 12 educational institutions across the US and UK had been hit with the ransomware. The French National Agency for the Security of Information Systems issued a similar alert one year earlier.
Multiple ransomware experts questioned the timing of the leak, noting that Pysa has a penchant for waiting to add victims to their leak site.
Recorded Future ransomware expert Allan Liska told ZDNet he did not think all of the victims published to the site were new.
“We have seen them take six months, and even longer, from when a victim is first hit to when [stolen data] is published,” Liska said. “This could be all the victims they have been stalling on publishing data, but it would represent more victims than we have seen from them