Ransomware experts question massive Pysa/Mespinoza victim dump

The prolific ransomware group dumped more than 50 victim names onto its leak site this week.

The Pysa ransomware group dumped dozens of victims onto their leak site this week right after US law enforcement officials announced a range of actions taken against ransomware groups. 

ZDNet Recommends

Best VPN service 2021

Every remote worker should consider a virtual private network to stay safe online.

Read More

More than 50 companies, universities, and organizations had their names added to the ransomware group's leak site. 

The group, which also goes by the name Mespinoza, was called out by the FBI in March for specifically targeting "higher education, K-12 schools, and seminaries." The FBI said at least 12 educational institutions across the US and UK had been hit with the ransomware. The French National Agency for the Security of Information Systems issued a similar alert one year earlier.

Multiple ransomware experts questioned the timing of the leak, noting that Pysa has a penchant for waiting to add victims to their leak site. 

Recorded Future ransomware expert Allan Liska told ZDNet he did not think all of the victims published to the site were new.

"We have seen them take six months, and even longer, from when a victim is first hit to when [stolen data] is published," Liska said. "This could be all the victims they have been stalling on publishing data, but it would represent more victims than we have seen from them the rest of the year. It is a lot of different organizations, from around the world, with no theme." 

Emsisoft threat analyst Brett Callow told ZDNet that Pysa names and shames its victims weeks, or sometimes months, after the attacks take place, differentiating it from other ransomware groups. 

The reason they waited this long to leak victim information is still unclear, he said, adding that it was curious they dumped this many names all at once. 

fdsi14mvuaquhzl.png

A sample from the leak site.

Brett Callow

The dump came as law enforcement in the US, Europe, and other regions took forceful measures against a number of ransomware groups. 

US officials from the Justice Department, Treasury, and FBI announced a slate of actions taken against some of the members of the REvil ransomware group as well as sanctions against organizations helping ransomware groups launder illicit funds.

US agencies have been working with Europol, Eurojust, Interpol, and other law enforcement organizations on "Operation GoldDust" to disrupt multiple ransomware groups over the past six months. Seventeen countries have been involved in the effort, and dozens of people have been arrested across Europe in connection with ransomware groups.

This all followed an operation to take down REvil's infrastructure that led to the group closing shop for the second time. 

Both Callow and Liska said the timing of the Pysa's dump was curious considering the actions being taken by law enforcement.

"You can't help but wonder whether their doing so now is in response to the news in relation to REvil -- either a middle finger to law enforcement or, perhaps, an expression of confidence in case any of their affiliates are starting to get cold feet," Callow told ZDNet. 

Liska echoed that it felt like Pysa was "giving the finger" to law enforcement after a bad day for ransomware groups. 

The FBI said in its March notice that Pysa, which was first seen in 2019, is known for exfiltrating data from victims before encrypting their systems "to use as leverage in eliciting ransom payments."

They noted that in addition to attacks on educational institutions, Pysa has also gone after foreign government entities, educational institutions, private companies, and the healthcare sector. 

"In previous incidents, cyber actors exfiltrated employment records that contained personally identifiable information (PII), payroll tax information, and other data that could be used to extort victims to pay a ransom," the FBI said in the notice. "The cyber actors have uploaded stolen data to MEGA.NZ, a cloud storage and file sharing service, by uploading the data through the MEGA website or by installing the MEGA client application directly on a victim's computer. However, in the past, actors have used other methods of exfiltrating data that leaves less evidence of what was stolen."

Emsisoft released a profile of the ransomware group in July, noting that they operate with the ransomware-as-a-service business model and routinely dump stolen data "even after the victim company has paid the ransom."

They warned victims about cooperating with the group, explaining that Emsisoft's decryption tool "can safely decrypt data encrypted by Mespinoza, provided the victim has obtained the decryption keys."

"Since Mespinoza was first discovered, there have been 531 submissions to ID Ransomware, an online tool that helps the victims of ransomware identify which ransomware has encrypted their files," Emsisoft researchers wrote in July. 

"We estimate that only 25 percent of victims make a submission to ID Ransomware, which means there may have been a total of 2,124 Mespinoza incidents since the ransomware's inception. During this time, the group has also published on its leak site the stolen data of at least 104 organizations."