CERT France has released an alert this week regarding a new variant of the Mespinoza ransomware strain, also known as Pysa. The operators of this ransomware, who previously attacked large businesses, have now started targeting French government organizations. Using brute-force attacks targeting management consoles and Active Directory (AD) accounts, operators were able to gain access to networks of large companies and local government organizations. Victims also reported unauthorized remote desktop connections to their domain controllers. If the brute-force attacks were successful at gaining access, the threat actors were able to exfiltrate password databases and other information stolen from victims, as well as deploy ransomware. The threat actors used their access to deploy the penetration testing tool PowerShell Empire, interacting with the compromised machines to expand access and stop anti-virus programs from running. Other PowerShell and batch scripts were also used by the attackers.
As there is currently no free decryption program available for this ransomware variant, Binary Defense recommends following the 3-2-1 backup rule:
• Keep three copies of data
• Keep two copies on different devices or storage media
• Keep one backup offsite
By actively monitoring Endpoint Detection and Response (EDR) tools, companies can better identify and respond to active threats that may result in ransomware if not quickly detected and stopped. The threat actors behind many of the most active ransomware threats have spent a significant amount of time expanding their access to more computers and administrator accounts before finally deploying ransomware. The time between initial compromise and ransomware deployment across the enterprise is the critical period when defenders have the best opportunity to stop the intrusion. All of the actions taken by the attackers would cause alerts in EDR tools, but to benefit from that detection requires skilled analysts interpreting the alerts and able to respond 24 hours a day, 7 days a week.