Ransomware attacks worldwide rose sequentially by nearly two percent in November, 2021, as organizations in North America and Europe remained hackers’ hot spots, a new report said.
In NCC Group’s monthly Threat Pulse report, its threat intelligence unit identified PYSA and Lockbit as the threat actors dominating the ransomware landscape in November, taking over from Conti and Lockbit, which had been the top crews since August, 2021. PYSA, also known as Mespinoza, overtook Conti with an increase of 50 percent as the latter's prevalence decreased by slightly more than nine percent.
What Is PYSA Ransomware?
PYSA malware, which was first spotted in the wild late in 2019, most often targets big fish, including financial institutions, government and healthcare organizations not only by encrypting files and data but also exfiltrating sensitive information. Accordingly, NCC identified 314 double-extortion ransomware victims worldwide during in November, for a 65 percent increase over the prior two months. Here are some more highlights from NCC’s research:
- 50% increase in organizations targeted by PYSA ransomware with a 400% rise in government sector victims.
- North America and Europe continue to be the most targeted regions in November, with 154 and 96 victims respectively. In North America, U.S.-based organizations were hit by 140 of the attacks with the remainder occurring in Canada.
- In Europe, the top targeted countries included the U.K. and France, with Italy and Germany sharing third place. Each of these countries experienced 32, 14, and 11 attacks respectively in November.
- Industrials continued to be the most targeted sector. Automotive, housing, entertainment, and retail businesses overtook technology with attacks hitting that sector decreasing by roughly 38%.
- After a 10-month hiatus following a law enforcement take down, the notorious Emotet malware returned. TrickBot is being used as an entry point to deploy a new version on previously infected systems.
Everest Group: Rising Threat?
Of note, a new, Russian-speaking cyber syndicate, the Everest Group, is offering paid access to the IT infrastructure of its victims and also threatening to release stolen data if ransom payment is refused. Targets include the Argentine government, Peru’s Ministry of Economy and Finance, and the Brazilian police.
“While selling ransomware-as-a-service has seen a surge in popularity over the last year, this is a rare instance of a group forgoing a request for a ransom and offering access to IT infrastructure,” NCC said of Everest. There may be more crews like it in 2022, the security unit said.
NCC also said it is monitoring exploitation of the Log4Shell vulnerability disclosed earlier this month.
