{
	"id": "fea7483b-e0cd-4234-ae08-17ae61c8672a",
	"created_at": "2026-04-10T03:20:05.09468Z",
	"updated_at": "2026-04-10T13:12:57.400337Z",
	"deleted_at": null,
	"sha1_hash": "b26150d40583f57493394bf56467e37355cd21a8",
	"title": "France warns of new ransomware gang targeting local governments",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1217367,
	"plain_text": "France warns of new ransomware gang targeting local\r\ngovernments\r\nBy Catalin Cimpanu\r\nPublished: 2020-03-19 · Archived: 2026-04-10 02:46:49 UTC\r\nFrance's cyber-security agency issued an alert this week warning about a new ransomware gang that's been\r\nrecently seen targeting the networks of local government authorities.\r\nThe alert, issued by France's CERT team, points to a rising number of attacks carried out with a new version of the\r\nMespinoza ransomware strain, also known as the Pysa ransomware.\r\nThis ransomware strain was first spotted making victims last year, in October 2019. According to reports at the\r\ntime, victims reported having data encrypted with the .locked extension added at the end of each ransomed file.\r\nA new Mespinoza version was spotted two months later, in December 2019. This one used the .pysa file\r\nextension, which explains the second Pysa name under which this ransomware is sometimes referred to.\r\nIn previous cases of Mespinoza/Pysa infections, most of the victims were companies, suggesting that the group\r\nbehind this new ransomware was specifically targeting large corporate networks in an attempt to maximize\r\nransom demands and inherently its profits.\r\nNow, CERT-FR says the Pysa gang has moved to target French organizations, with the agency receiving reports of\r\nmultiple infections.\r\nUnclear how the Pysa gang is infecting victims\r\nhttps://www.zdnet.com/article/france-warns-of-new-ransomware-gang-targeting-local-governments/\r\nPage 1 of 2\n\nCERT-FR said it is still investigating how the Pysa gang is gaining access to victim's networks. However,\r\nforensics clues left behind paint a picture of what could have happened on some of the infected/ransomed\r\nnetworks.\r\nFor example, CERT-FR said there was evidence suggesting that the Pysa gang launched brute-force attacks\r\nagainst management consoles and Active Directory accounts.\r\nThese brute-force attacks were followed by the exfiltration of a company's accounts \u0026 passwords database.\r\nVictim organizations also reported seeing unauthorized RDP connections to their domain controllers, and the\r\ndeployment of Batch and PowerShell scripts.\r\nFurthermore, the Pysa gang also deployed a version of the PowerShell Empire penetration-testing tool, stopped\r\nvarious antivirus products, and even uninstalled Windows Defender in some instances.\r\nCERT-FR says that in at least one case they analyzed, they also found a new version of the Pysa ransomware,\r\nwhich used the .newversion file extension instead of the older .pysa.\r\nNo encryption weaknesses\r\nInvestigators said they also analyzed the ransomware and its encryption algorithms, and they weren't able to find\r\nany implementation flaws that could permit victims to bypass the ransom payment and decrypt files for free.\r\nAccording to CERT-FR, the Pysa ransomware code is \"specific and very short\" and \"based on public Python\r\nlibraries.\"\r\nBut attacks with Pysa aren't only limited to France. In an interview with ZDNet about this new ransomware gang,\r\nEmsisoft malware analyst and ID-Ransomware creator Michael Gillespie said the Pysa ransomware gang has also\r\nmade victims outside France, across multiple continents, hitting both government and business-related networks.\r\nThe CERT-FR Mespinoza/Pysa alert is available here.\r\nLatest big-game hunter\r\nMespinoza/Pysa is the latest ransomware gang that engages in a tactic called \"big game hunting\" or \"human-operated ransomware\" -- where ransomware gangs target high-profile targets, breach their networks, and then\r\nmanually install ransomware on their networks.\r\nThis very focused targeting tactic is in stark contrast with the shotgun approach that has been used by ransomware\r\ngangs in the past, in the 2015 - early 2019 period, when they heavily relied on exploit kits and email spam to\r\ninfect random victims.\r\nOther ransomware gangs that engage in targeted \"big-game hunting\" include Ryuk, REvil (Sodinokibi),\r\nLockerGoga, RobbinHood, DoppelPaymer, Maze, and many more others.\r\nSource: https://www.zdnet.com/article/france-warns-of-new-ransomware-gang-targeting-local-governments/\r\nhttps://www.zdnet.com/article/france-warns-of-new-ransomware-gang-targeting-local-governments/\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.zdnet.com/article/france-warns-of-new-ransomware-gang-targeting-local-governments/"
	],
	"report_names": [
		"france-warns-of-new-ransomware-gang-targeting-local-governments"
	],
	"threat_actors": [],
	"ts_created_at": 1775791205,
	"ts_updated_at": 1775826777,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b26150d40583f57493394bf56467e37355cd21a8.pdf",
		"text": "https://archive.orkl.eu/b26150d40583f57493394bf56467e37355cd21a8.txt",
		"img": "https://archive.orkl.eu/b26150d40583f57493394bf56467e37355cd21a8.jpg"
	}
}