New ransomware group is attacking US firms and educational establishments

Mespinoza hacking gang hits organizations with ransom demands as high as $1.6 million

Security researchers have discovered a new ransomware group attacking US publishing, real estate, industrial manufacturing, and education organizations.

Dubbed Mespinoza, researchers at Unit 42, the cyber security consulting and threat intelligence team at Palo Alto Networks, said the gang’s website claimed to have 187 victims in various industries worldwide.

The victims are scattered across more than 20 countries, including the UK, Ireland, Spain, France, Germany, South Africa, Australia, US, Canada, and Brazil. The most targeted country was the US, according to a Mespinoza leak site, which reported 55% of victims were US organizations.

According to researchers‘ new report, the gang has hit victims with ransom demands as high as $1.6 million and received payments as high as $470,000.

The report detailed how the group operates. Researchers said the Mespinoza is highly disciplined. After accessing a new network, the group studies compromised systems in what we believe is triage to determine if there is enough valuable data to justify launching a full-scale attack. 

“They look for keywords including clandestine, fraud, social security numbers, driver’s license, passport and I-9. That suggests they are hunting for sensitive files that would have the most impact if leaked,” researchers said.

Related Resource

How to reduce the risk of phishing and ransomware

Top security concerns and tips for mitigation

Large letter 'O' against a background of a city - whitepaper from MimecastFree download

The ransomware gang also refers to victims as “partners.” That term suggests “they try to run the group as a professional enterprise and see victims as business partners who fund their profits,” said researchers. 

Mespinoza also uses a tool that creates network tunnels to siphon off data called “MagicSocks.” A component stored on their staging server and likely used to wrap up an attack is named “HappyEnd.bat.”

According to the researchers, in a recent incident, threat actors deployed the Mespinoza (also known as Pysa) ransomware by accessing a system via remote desktop and running a series of batch scripts that used the PsExec tool to copy and execute the ransomware on other systems on the network.

“Before deploying the ransomware to other systems, the actor runs PowerShell scripts on the other systems on the network to exfiltrate files of interest and to maximize the impact of the ransomware,” said researchers.

These attacks highlight current trends among multiple ransomware threat actors.

“As with other ransomware attacks, Mespinoza originates through the proverbial front door -- internet-facing RDP servers -- mitigating the need to craft phishing emails, perform social engineering, leverage software vulnerabilities or other more time-consuming and costly activities,” said researchers.

Researchers added that the gang further reduces costs by using numerous free open source tools. They will also use built-in tools that enable actors to live off the land, benefitting bottom-line expenses and profits.

Featured Resources

Modern governance: The how-to guide

Equipping organisations with the right tools for business resilience

Free Download

Cloud operational excellence

Everything you need to know about optimising your cloud operations

Watch now

A buyer’s guide to board management software

How the right software can improve your board’s performance

The real world business value of Oracle autonomous data warehouse

Lead with a 417% five-year ROI

Download now

Recommended

Russia's "politically motivated" REvil raid could be used as leverage, experts warn
ransomware

Russia's "politically motivated" REvil raid could be used as leverage, experts warn

17 Jan 2022
Meta files lawsuit to uncover hackers targeting Facebook, WhatsApp
phishing

Meta files lawsuit to uncover hackers targeting Facebook, WhatsApp

21 Dec 2021
Five things to consider before choosing an MFA solution
Security

Five things to consider before choosing an MFA solution

17 Dec 2021
Australia and US sign CLOUD Act data-sharing deal to support criminal investigations
cyber crime

Australia and US sign CLOUD Act data-sharing deal to support criminal investigations

16 Dec 2021

Most Popular

How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

6 Jan 2022
How to speed up Windows 11
Microsoft Windows

How to speed up Windows 11

7 Jan 2022
Dell XPS 15 (2021) review: The best just got better
Laptops

Dell XPS 15 (2021) review: The best just got better

14 Jan 2022