This ransomware gang hunts for evidence of crime to pressure victims into paying a ransom

"Extremely disciplined" Mespinoza attackers quietly enter networks via RDP attacks and search for files related to sensitive information that they threaten to publish if the victim doesn't pay a ransom.
Written by Danny Palmer, Senior Writer

A prolific ransomware group that targets organisations around the world looks for sensitive info and files that suggest its victims are aware of illegal activity, with the aim of exploiting this as additional leverage in their hunt to make money from ransom payments. 

The Mespinoza ransomware group – also known as PYSA – demands millions of dollars in exchange for a decryption key and threatens to publish private information stolen from the compromised network if the victims don't pay.  

Mespinoza has claimed victims around the world, but focuses predominantly on the United States, where it has targeted organisations in manufacturing, retail, engineering, education and government. The cybercrime group has become so prolific that the FBI issued a warning about attacks.  

SEE: Cybersecurity: Let's get tactical (ZDNet/TechRepublic special feature) | Download the free PDF version (TechRepublic)     

Cybersecurity company Palo Alto Networks has analysed Mespinoza attacks and detailed what it describes as an "extremely disciplined" ransomware group, which actively searches for evidence of illegal activity as well as other sensitive information to use as blackmail for double extortion campaigns. 

Like many ransomware groups, Mespinoza first gains a foothold in networks by compromising remote desktop protocol (RDP) systems. It's uncertain whether the attackers use brute force attacks or use phishing attacks to steal login credentials, but by using legitimate usernames and passwords to access systems, it's much easier for them to remain undetected as they move around the network and attempt to lay the foundations for the ransomware attack. 

But this isn't the only way in which Mespinoza ensures that it has persistent access to hacked networks, as the group also installs a backdoor, which – based on the malware's code – researchers have named Gasket. This in turn references a capability called "MagicSocks", which uses open-source tools to provide continued remote access to the network.  

All of this allows the attackers to maintain persistence as they carefully take the time to assess the network. Mespinoza takes specific interest in file and server names relating to sensitive and confidential information, financial data and even information that might allude to illegal activity by the victim for use as leverage when demanding a ransom.  

"They search using sensitive terms such as illegal, fraud, and criminal. In other words, the actors are also interested in illegal activities known to the organisation that could provide extreme leverage should a negotiation start," Alex Hinchliffe, threat intelligence analyst for Unit 42 at Palo Alto Networks, told ZDNet. 

The ransom demands are often over $1.5 million, but the group is willing to negotiate with victims and has received many payments of almost $500,000 in exchange for a decryption key as well as to prevent stolen information from being published.

The group has been active since April 2020 – a time when the global pandemic forced many organisations to suddenly adapt to remote working, making many more vulnerable to RDP attacks. And while Mespinoza isn't as high-profile as other ransomware groups, the fact that it has been operating for over a year suggests it's successful.

"They're relatively new but making a large impact given the number of victims listed on their leak site, and likely making a lot of money from their extortion," said Hinchliffe. 

SEE: Ransomware: Paying up won't stop you from getting hit again, says cybersecurity chief

It's currently not known where Mespinoza is operating from, but it's likely that their attacks will continue so long as they're making money from ransoms – and organisations with unsecured RDP will remain a prime target for campaigns by this group and other cyber-criminal ransomware operations. 

"Organisations need to know more about their attack surface area because without knowing their footprint, especially the internet-connected part, it's almost impossible to see what's happening, let alone defend against it," said Hinchliffe. 

"Far too many organisations have services such as a RDP exposed to the internet and are exposing themselves to the risk of remotely launched attacks, negating the need from the threat actor to create and deliver phishing attacks at much higher cost to them," he added. 

Organisations can help prevent their RDP services from being compromised by avoiding the use of default passwords and by applying multi-factor authentication to user accounts. 


Editorial standards