PYSA, also known as Mespinoza, has ascended to become the top ransomware threat group for November, surpassing the once-dominant Conti gang. According to NCC Group’s latest insights, PYSA significantly expanded its market share, notably by targeting government sector systems with a substantial increase in activity.

PYSA’s Rise and Double Extortion Tactics

PYSA’s prominence in November was marked by a 50 percent rise in the number of targeted organizations, fueled by a staggering 400 percent spike in attacks directed at government entities. The group is well-known for employing double-extortion tactics, where they not only encrypt a victim’s data but also exfiltrate it, threatening public release if the ransom is not paid. Earlier this year, the FBI issued a specific alert regarding PYSA’s focus on the education sector, warning about common initial access techniques such as phishing lures and brute-force Remote Desktop Protocol (RDP) attacks. These attacks have previously resulted in the exfiltration of sensitive data, including personally identifiable information (PII) and payroll records, which are then used to coerce victims into paying ransoms.

Everest’s Evolving Extortion Model

Beyond PYSA, the report also highlighted the Russian-language ransomware group Everest, which is innovating its extortion strategies. Everest has begun offering paid access to victims’ IT infrastructure, sometimes even bypassing direct ransom demands to sell system access outright. This new approach, observed with data related to the Argentine government, Peru’s Ministry of Economy and Finance, and the Brazilian Police, marks a potential new trend in the ransomware world. While ransomware-as-a-service has gained traction, analysts are closely monitoring if this direct access-selling model will be adopted by other threat groups in 2022 and beyond. Meanwhile, Conti’s activity saw a dip in November but is anticipated to rebound following its development of a weaponized attack chain for the Log4Shell vulnerability, leveraging its significant scale. North America and Europe remain the primary targets for these ransomware activities.