New ransomware group is attacking US firms and educational establishments

Ransomware message on a computer screen
(Image credit: Shutterstock)

Security researchers have discovered a new ransomware group attacking US publishing, real estate, industrial manufacturing, and education organizations.

Dubbed Mespinoza, researchers at Unit 42, the cyber security consulting and threat intelligence team at Palo Alto Networks, said the gang’s website claimed to have 187 victims in various industries worldwide.

The victims are scattered across more than 20 countries, including the UK, Ireland, Spain, France, Germany, South Africa, Australia, US, Canada, and Brazil. The most targeted country was the US, according to a Mespinoza leak site, which reported 55% of victims were US organizations.

According to researchers‘ new report, the gang has hit victims with ransom demands as high as $1.6 million and received payments as high as $470,000.

The report detailed how the group operates. Researchers said the Mespinoza is highly disciplined. After accessing a new network, the group studies compromised systems in what we believe is triage to determine if there is enough valuable data to justify launching a full-scale attack.

“They look for keywords including clandestine, fraud, social security numbers, driver’s license, passport and I-9. That suggests they are hunting for sensitive files that would have the most impact if leaked,” researchers said.


How to reduce the risk of phishing and ransomware

Top security concerns and tips for mitigation


The ransomware gang also refers to victims as “partners.” That term suggests “they try to run the group as a professional enterprise and see victims as business partners who fund their profits,” said researchers.

Mespinoza also uses a tool that creates network tunnels to siphon off data called “MagicSocks.” A component stored on their staging server and likely used to wrap up an attack is named “HappyEnd.bat.”

According to the researchers, in a recent incident, threat actors deployed the Mespinoza (also known as Pysa) ransomware by accessing a system via remote desktop and running a series of batch scripts that used the PsExec tool to copy and execute the ransomware on other systems on the network.

“Before deploying the ransomware to other systems, the actor runs PowerShell scripts on the other systems on the network to exfiltrate files of interest and to maximize the impact of the ransomware,” said researchers.

These attacks highlight current trends among multiple ransomware threat actors.

“As with other ransomware attacks, Mespinoza originates through the proverbial front door -- internet-facing RDP servers -- mitigating the need to craft phishing emails, perform social engineering, leverage software vulnerabilities or other more time-consuming and costly activities,” said researchers.

Researchers added that the gang further reduces costs by using numerous free open source tools. They will also use built-in tools that enable actors to live off the land, benefitting bottom-line expenses and profits.

Rene Millman

Rene Millman is a freelance writer and broadcaster who covers cybersecurity, AI, IoT, and the cloud. He also works as a contributing analyst at GigaOm and has previously worked as an analyst for Gartner covering the infrastructure market. He has made numerous television appearances to give his views and expertise on technology trends and companies that affect and shape our lives. You can follow Rene Millman on Twitter.