France's CERT team has issued a warning following multiple reports about cyber attacks on local governments’ networks. It appears the attacks were carried out using a new version of the Mespinoza ransomware strain, also known as the Pysa ransomware.
The Mespinoza ransomware was first spotted in October last year. As is common with other ransomware families, Mespinoza will encrypt all files on the victim’s computer adding a '.locked' extension to all the locked files and then blackmail the user into paying money in exchange for a supposed decryption key. In December 2019, a new Mespinoza version has emerged, which used the .pysa file extension, hence the moniker "Pysa ransomware".
According to CERT-FR, the team is still investigating how the Mespinoza/Pysa operators are compromising victim's networks, but some evidence suggests that the gang may have launched brute-force attacks against management consoles and Active Directory accounts.
Some victim organizations reported seeing unauthorized RDP connections to their domain controllers. The Pysa group also uses Batch and PowerShell scripts as well as a version of the PowerShell Empire penetration-testing tool. They are also capable of bypassing Microsoft Defender and various antivirus products.
CERT-FR said the analysis of the Pysa ransomware has not revealed any implementation mistakes that could allow victims to bypass the ransom payment and decrypt files for free. According to the experts, the Pysa ransomware code is "specific and very short" and "based on public Python libraries."