This week, the Pysa ransomware organization put scores of victims onto its leak site, just as US law enforcement officials announced a slew of measures against ransomware groups.
The identities of over 50 firms, colleges, and organizations have been uploaded to the ransomware group’s leak site.
The FBI warned the group, also known as Mespinoza, in March that it was primarily targeting “higher education, K-12 schools, and seminaries.” The FBI said that the ransomware had infected at least 12 educational institutions in the United States and the United Kingdom. One year previously, the French National Agency for the Security of Information Systems published a similar warning.
Multiple ransomware specialists questioned the timing of the release, pointing out that Pysa has a habit of waiting for victims to be added to their leak site.
Allan Liska, a ransomware expert at Recorded Future, told ZDNet that he did not believe all of the victims listed on the site were new.
“We have seen them take six months, and even longer, from when a victim is first hit to when [stolen data] is published,” Liska said. “This could be all the victims they have been stalling on publishing data, but it would represent more victims than we have seen from them the rest of the year. It is a lot of different organizations, from around the world, with no theme.”
Pysa, according to Emsisoft security expert Brett Callow, identifies and humiliates its victims for extended periods of time after the assaults, distinguishing it from other malware gangs.
It’s unknown why they waited all this time to expose victim information, he says, adding that it’s odd they leaked so many details all at once.
The leak occurred as law authorities in the United States, Europe, and other parts of the world took tough actions against a bunch of ransomware gangs.
US officials from the Justice Department, Treasury, and FBI reported a slew of measures against perpetrators of the REvil ransomware gang, and also sanctions on entities that assist ransomware groups in laundering criminal funds.
Over the last six months, US authorities have collaborated with Eurojust, Europol, Interpol, as well as other law enforcement organizations on “Operation GoldDust”, to destroy several ransomware gangs. Seventeen nations have joined the campaign, and hundreds of people have been detained in connection with ransomware gangs across Europe.
This was all in response to an effort to knock down REvil’s infrastructure, which resulted in the gang closing business for the second time.
Callow and Liska both expressed surprise at the timing of the Pysa’s leak, given the efforts taken by law enforcement.
“You can’t help but wonder whether their doing so now is in response to the news in relation to REvil — either a middle finger to law enforcement or, perhaps, an expression of confidence in case any of their affiliates are starting to get cold feet,” Callow told ZDNet.
Liska agreed that Pysa appeared to be “giving the finger” to law enforcement following a terrible day for ransomware organizations.
Pysa, which was first discovered in 2019, is renowned for exfiltrating information from targets before encrypting their computers “to use as leverage in eliciting ransom payments,” according to the FBI’s March notification.
They highlighted that Pysa has targeted international government bodies, educational institutions, commercial corporations, and the healthcare industry in addition to educational institutions.
“In previous incidents, cyber actors exfiltrated employment records that contained personally identifiable information (PII), payroll tax information, and other data that could be used to extort victims to pay a ransom,” the FBI said in the notice. “The cyber actors have uploaded stolen data to MEGA.NZ, cloud storage and file sharing service, by uploading the data through the MEGA website or by installing the MEGA client application directly on a victim’s computer. However, in the past, actors have used other methods of exfiltrating data that leaves less evidence of what was stolen.”
In July, Emsisoft published a description of the ransomware gang, noting that they use the ransomware-as-a-service business strategy and frequently leak stolen information “even after the victim company has paid the ransom.”
They cautioned victims against assisting the gang, stating that Emsisoft’s decryption program “can safely decode data encrypted by Mespinoza, provided the victim has got the decryption keys.”
“Since Mespinoza was first discovered, there have been 531 submissions to ID Ransomware, an online tool that helps the victims of ransomware identify which ransomware has encrypted their files,” Emsisoft researchers wrote in July.
“We estimate that only 25 percent of victims make a submission to ID Ransomware, which means there may have been a total of 2,124 Mespinoza incidents since the ransomware’s inception. During this time, the group has also published on its leak site the stolen data of at least 104 organizations.”
