New ransomware group is attacking US firms and educational establishments

Mespinoza hacking gang hits organizations with ransom demands as high as $1.6 million

Security researchers have discovered a new ransomware group attacking US publishing, real estate, industrial manufacturing, and education organizations.

Dubbed Mespinoza, researchers at Unit 42, the cyber security consulting and threat intelligence team at Palo Alto Networks, said the gang’s website claimed to have 187 victims in various industries worldwide.

The victims are scattered across more than 20 countries, including the UK, Ireland, Spain, France, Germany, South Africa, Australia, US, Canada, and Brazil. The most targeted country was the US, according to a Mespinoza leak site, which reported 55% of victims were US organizations.

According to researchers‘ new report, the gang has hit victims with ransom demands as high as $1.6 million and received payments as high as $470,000.

The report detailed how the group operates. Researchers said the Mespinoza is highly disciplined. After accessing a new network, the group studies compromised systems in what we believe is triage to determine if there is enough valuable data to justify launching a full-scale attack. 

“They look for keywords including clandestine, fraud, social security numbers, driver’s license, passport and I-9. That suggests they are hunting for sensitive files that would have the most impact if leaked,” researchers said.

Related Resource

How to reduce the risk of phishing and ransomware

Top security concerns and tips for mitigation

Large letter 'O' against a background of a city - whitepaper from MimecastDownload now

The ransomware gang also refers to victims as “partners.” That term suggests “they try to run the group as a professional enterprise and see victims as business partners who fund their profits,” said researchers. 

Mespinoza also uses a tool that creates network tunnels to siphon off data called “MagicSocks.” A component stored on their staging server and likely used to wrap up an attack is named “HappyEnd.bat.”

According to the researchers, in a recent incident, threat actors deployed the Mespinoza (also known as Pysa) ransomware by accessing a system via remote desktop and running a series of batch scripts that used the PsExec tool to copy and execute the ransomware on other systems on the network.

“Before deploying the ransomware to other systems, the actor runs PowerShell scripts on the other systems on the network to exfiltrate files of interest and to maximize the impact of the ransomware,” said researchers.

These attacks highlight current trends among multiple ransomware threat actors.

“As with other ransomware attacks, Mespinoza originates through the proverbial front door -- internet-facing RDP servers -- mitigating the need to craft phishing emails, perform social engineering, leverage software vulnerabilities or other more time-consuming and costly activities,” said researchers.

Researchers added that the gang further reduces costs by using numerous free open source tools. They will also use built-in tools that enable actors to live off the land, benefitting bottom-line expenses and profits.

Featured Resources

The definitive guide to warehouse efficiency

Get your free guide to creating efficiencies in the warehouse

Free download

The total economic impact™ of Datto

Cost savings and business benefits of using Datto Integrated Solutions

Download now

Three-step guide to modern customer experience

Support the critical role CX plays in your business

Free download

Ransomware report

The global state of the channel

Download now

Recommended

Researchers disclose top vulnerabilities abused by ransomware gangs
ransomware

Researchers disclose top vulnerabilities abused by ransomware gangs

20 Sep 2021
Best MDM solutions 2020
mobile device management (MDM)

Best MDM solutions 2020

17 Sep 2021
How do hackers choose their targets?
hacking

How do hackers choose their targets?

17 Sep 2021
Owner of DDoS for hire sites found guilty of hacking offences
distributed denial of service (DDOS)

Owner of DDoS for hire sites found guilty of hacking offences

17 Sep 2021

Most Popular

Zoom: From pandemic upstart to hybrid work giant
video conferencing

Zoom: From pandemic upstart to hybrid work giant

14 Sep 2021
What are the pros and cons of AI?
machine learning

What are the pros and cons of AI?

8 Sep 2021
Intuit plans end-to-end SMB platform after $12 billion Mailchimp acquisition
mergers and acquisitions

Intuit plans end-to-end SMB platform after $12 billion Mailchimp acquisition

14 Sep 2021