PYSA Emerges as Top Ransomware Actor in November

Overtaking the Conti ransomware gang, PYSA finds success with government-sector attacks.

PYSA, which is also known by Mespinoza, has overtaken Conti as the top ransomware threat group for the month of November. It joined Lockbit, which has dominated the space since August.

According to NCC Group’s November insights on the ransomware sector, PYSA increased its market share with a 50 percent rise in the number of targeted organizations, which includes a 400 percent spike in attacks against government-sector systems.

Double-Extortion and Beyond

PYSA regularly uses double-extortion against its targets, both exfiltrating and encrypting the data, then threatening to publish the data publicly if the victim doesn’t pay the ransom.

Last March, the FBI sent out a special alert about PYSA’s focus on the education sector, warning schools to be on alert for phishing lures and brute-force Remote Desktop Protocol attacks as initial-access techniques.

“In previous incidents, cyber-actors exfiltrated employment records that contained personally identifiable information (PII), payroll tax information and other data that could be used to extort victims to pay a ransom,” the FBI warned.

Everest Switches Up Tactics to Sell Initial Access

Russian-language ransomware group Everest is taking its extortion tactics to another level,

Read More: