CERT France has released an alert this week regarding a new variant of the Mespinoza ransomware strain, also known as Pysa. The operators of this ransomware, who previously attacked large businesses, have now started targeting French government organizations. Using brute-force attacks targeting management consoles and Active Directory (AD) accounts, operators were able to gain access to networks of large companies and local government organizations. Victims also reported unauthorized remote desktop connections to their domain controllers. If the brute-force attacks were successful at gaining access, the threat actors were able to exfiltrate password databases and other information stolen from victims, as well as deploy ransomware. The threat actors used their access to deploy the penetration testing tool PowerShell Empire, interacting with the compromised machines to expand access and stop anti-virus programs from running. Other PowerShell and batch scripts were also used by the attackers.
With all the news around COVID-19/Coronavirus, the average person is turning to the internet for