IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

New ransomware group is attacking US firms and educational establishments

Mespinoza hacking gang hits organizations with ransom demands as high as $1.6 million

Security researchers have discovered a new ransomware group attacking US publishing, real estate, industrial manufacturing, and education organizations.

Dubbed Mespinoza, researchers at Unit 42, the cyber security consulting and threat intelligence team at Palo Alto Networks, said the gang’s website claimed to have 187 victims in various industries worldwide.

The victims are scattered across more than 20 countries, including the UK, Ireland, Spain, France, Germany, South Africa, Australia, US, Canada, and Brazil. The most targeted country was the US, according to a Mespinoza leak site, which reported 55% of victims were US organizations.

According to researchers‘ new report, the gang has hit victims with ransom demands as high as $1.6 million and received payments as high as $470,000.

The report detailed how the group operates. Researchers said the Mespinoza is highly disciplined. After accessing a new network, the group studies compromised systems in what we believe is triage to determine if there is enough valuable data to justify launching a full-scale attack. 

“They look for keywords including clandestine, fraud, social security numbers, driver’s license, passport and I-9. That suggests they are hunting for sensitive files that would have the most impact if leaked,” researchers said.

Related Resource

How to reduce the risk of phishing and ransomware

Top security concerns and tips for mitigation

Large letter 'O' against a background of a city - whitepaper from MimecastFree download

The ransomware gang also refers to victims as “partners.” That term suggests “they try to run the group as a professional enterprise and see victims as business partners who fund their profits,” said researchers. 

Mespinoza also uses a tool that creates network tunnels to siphon off data called “MagicSocks.” A component stored on their staging server and likely used to wrap up an attack is named “HappyEnd.bat.”

According to the researchers, in a recent incident, threat actors deployed the Mespinoza (also known as Pysa) ransomware by accessing a system via remote desktop and running a series of batch scripts that used the PsExec tool to copy and execute the ransomware on other systems on the network.

“Before deploying the ransomware to other systems, the actor runs PowerShell scripts on the other systems on the network to exfiltrate files of interest and to maximize the impact of the ransomware,” said researchers.

These attacks highlight current trends among multiple ransomware threat actors.

“As with other ransomware attacks, Mespinoza originates through the proverbial front door -- internet-facing RDP servers -- mitigating the need to craft phishing emails, perform social engineering, leverage software vulnerabilities or other more time-consuming and costly activities,” said researchers.

Researchers added that the gang further reduces costs by using numerous free open source tools. They will also use built-in tools that enable actors to live off the land, benefitting bottom-line expenses and profits.

Featured Resources

Three ways manual coding is killing your business productivity

...and how you can fix it

Free Download

Goodbye broadcasts, hello conversations

Drive conversations across the funnel with the WhatsApp Business Platform

Free Download

Winning with multi-cloud

How to drive a competitive advantage and overcome data integration challenges

Free Download

Talking to a business should feel like messaging a friend

Managing customer conversations at scale with the WhatsApp Business Platform

Free Download

Recommended

Facilitating Fintech
Whitepaper

Facilitating Fintech

5 Oct 2022
Best security systems for business
cyber security

Best security systems for business

4 Oct 2022
Frontpoint review
cyber security

Frontpoint review

4 Oct 2022
Vivint review
cyber security

Vivint review

4 Oct 2022

Most Popular

Vodafone UK confirms talks to merge with Three are underway
mergers and acquisitions

Vodafone UK confirms talks to merge with Three are underway

3 Oct 2022
BT's new platform promises to slash AI development time from months to days
artificial intelligence (AI)

BT's new platform promises to slash AI development time from months to days

3 Oct 2022
How to secure your hybrid workforce
Advertisement Feature

How to secure your hybrid workforce

23 Sep 2022