Business Continuity Management / Disaster Recovery , Fraud Management & Cybercrime , Fraud Risk Management

How Mespinoza Ransomware Group Hits Targets

Palo Alto Networks Report Describes Tactics of Group Leveraging Open-Source Tools
How Mespinoza Ransomware Group Hits Targets
Illustration: Palo Alto Networks

The gang behind ransomware known as Mespinoza, aka PYSA, is targeting manufacturers, schools and others, mainly in the U.S. and U.K., demanding ransom payments as high as $1.6 million, according to Palo Alto Networks' Unit 42 threat intelligence team.

See Also: Cybersecurity for the SMB

Mespinoza's operators compromise Remote Desktop Protocol credentials or use phishing emails to gain unauthorized access to organizations' networks. They use open-source and built-in system tools to aid in lateral movement and credential harvesting, the researchers say, based on their recent monitoring of the group's infrastructure.

As of mid-July, Mespinoza's leak site - active since at least early 2020 - contained data it says belongs to 187 victim organizations - 55% of which are within the U.S., Palo Alto Networks researchers say. Other victims have been identified in at least 20 other countries. Targeted sectors include education, manufacturing, retail, medical, government, high-tech, transportation, engineering and social services.

Palo Alto researchers say it appears the criminal group has not adopted a ransomware-as-a-service model, which is widely used by other ransomware groups, including REvil, which targeted the software firm Kaseya (see: Kaseya: Up to 1,500 Organizations Hit in Ransomware Attack).

'Double Extortion Tactics'

The researchers say Mespinoza's operators "leverage double-extortion tactics, exfiltrating data prior to deploying the ransomware [to encrypt data] so they can later threaten to leak it - and install a new backdoor we call Gasket … to maintain access to the network."

The group's "MagicSocks" tool, which uses the open-source software Chisel - often used for passing through firewalls - creates "tunnels" for continued remote access.

As with other ransomware incidents, the Mespinoza gang's attacks typically start through the proverbial front door - internet-facing RDP servers - reducing the need to craft phishing emails, perform social engineering, leverage software vulnerabilities or "other more time-consuming and costly activities," the researchers say. Internet-connected RDP servers can be easily identified through automated scanning, they warn.

By using free, open-source tools, or built-in systems, the Mespinoza gang is equipped to maximize its return on investment, Palo Alto Networks says.

Earlier Warnings

In a March alert, the FBI highlighted a surge in PYSA ransomware attacks targeting educational institutions in the U.S. and U.K.

"The unidentified cyber actors have specifically targeted higher education, K-12 schools and seminaries," the FBI wrote.

According to its new report, Palo Alto Networks monitored the group's infrastructure - including its command-and-control server used to manage attacks and its "name and shame" site for listing uncooperative victims.

The researchers call the Mespinoza gang "extremely disciplined," noting that after gaining network access, the group triages compromised systems in search of valuable data to justify a full-scale attack. In its hunt for sensitive files, operators use keywords such as "clandestine," "fraud," "ssn," "driver*license," "passport" and "I-9."

Ransom note language also suggests the threat actors portray the campaign as a "professional" endeavor - calling victims "partners," researchers say.

A tool stored on the group's staging server - called "HappyEnd.bat" - is likely used to finalize an attack, Palo Alto Networks reports.

Limited Resources?

Based on its tactics, the Mespinoza gang may have limited resources, says Frank Downs, former offensive analyst for the U.S. National Security Agency.

"The efficacy of open-source tools is up for debate - as they are usually used by organizations with a limited budget," he says. "These criminals may have more time than money when planning and executing their attacks."

Downs, who now serves as a director at the security firm BlueVoyant, says that while open-source tools are free, they usually are not nearly as user-friendly as other options.

To thwart Mespinoza attacks, Downs recommends that organizations strengthen vulnerable RDP servers using nondefault passwords and multifactor authentication, along with additional protective controls, such as nontraditional port assignments and IP filters.

Other Parallels

A recent report published by France's National Agency for the Security of Information Systems said threat actors were delivering a payload similar to PYSA, written with the programming language Go, which was determined to be an earlier, unobfuscated version. Experts say the backdoor was written in Go-lang and used the open-source tool Gobfuscate to conceal its payload.

Palo Alto Networks says one recent Mespinoza incident used a similar approach - accessing a system via remote desktop, running a series of batch scripts and using the PsExec tool to copy and execute ransomware on other systems on the network. Operators ran PowerShell scripts to exfiltrate files of interest and maximize the impact of the attack.


About the Author

Dan Gunderman

Dan Gunderman

Former News Desk Staff Writer

As staff writer on the news desk at Information Security Media Group, Gunderman covered governmental/geopolitical cybersecurity updates from across the globe. Previously, he was the editor of Cyber Security Hub, or CSHub.com, covering enterprise security news and strategy for CISOs, CIOs and top decision-makers. He also formerly was a reporter for the New York Daily News, where he covered breaking news, politics, technology and more. Gunderman has also written and edited for such news publications as NorthJersey.com, Patch.com and CheatSheet.com.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.com, you agree to our use of cookies.