PYSA ransomware behind most double extortion attacks in November


Level 37
Thread author
Top poster
Feb 4, 2016
Security analysts from NCC Group report that ransomware attacks in November 2021 increased over the past month, with double-extortion continuing to be a powerful tool in threat actors' arsenal.

Threat actors' focus is also shifting to entities belonging to the government sector, which received 400% more attacks than in October.

The spotlight in November was stolen by the PYSA ransomware group (aka Mespinoza), which had an explosive rise in infections, recording an increase of 50%.
Other dominant ransomware groups are Lockbit and Conti, which launched attacks against critical entities, albeit fewer than in previous months.

The first signs of PYSA activity reaching threatening levels became apparent in March 2021, leading to the FBI publishing an alert about the actor's activity escalation.

Like almost all ransomware groups currently, PYSA exfiltrates data from the compromised network and then encrypts the originals to disrupt operations.
The stolen files are used as leverage in ransom negotiations, where the attackers threaten to publicly release data if a ransom is not paid.