[BreachExchange] Mespinoza ransomware gang flies under the radar while ramping up attacks

Sophia Kingsbury sophia.kingsbury at riskbasedsecurity.com
Thu Jul 15 11:07:40 EDT 2021


https://siliconangle.com/2021/07/15/mespinoza-ransomware-gang-flies-radar-ramping-attacks/

A new report from Palo Alto Networks Inc.’s Unit 42 released today details
a prolific ransomware gang that has mostly gone under the radar amid
attacks from better-known groups such as REvil, DarkSide and Ragnar Locker.

Called Mespinoza, the ransomware gang uses what the Palo Alto researchers
describe as “whimsical terms” to name its hacking tools. The gang calls its
victims “partners” and attacks with tools called “Gasket” and “MagicSocks,”
while on its staging server, a file is named “HappyEnd.bat.”

Mespinoza has been found to be targeting education, manufacturing, retail,
medical, government, high-tech, transportation and logistics, engineering
and social services, among others. Ransom demands have been as high as $1.6
million, with payments as high as $470,000.

The increasing activity by the ransomware gang, also known as PYSA, has
drawn the attention of the U.S. Federal Bureau of Investigation. The FBI
published a warning in March that the group was targeting education
institutions in 12 U.S. and the U.K., but its target scope has broadened
since.

Mespinoza targets many industries, with the gang’s leak site providing data
it claims to belong to 187 victim organizations. Some 55% of victims
identified on the leak site are from the U.S., while the rest are across 20
countries, including Canada, Brazil, U.K., Italy, Spain, France, Germany,
South Africa and Australia.

The group is described as being extremely disciplined. After accessing a
new network, the group studies systems in what the researchers believe is a
triage to determine whether there’s enough valuable data to justify
launching a full-scale attack. Suggesting that the gang looks for
high-impact data, Mespinoza searches for terms including clandestine,
fraud, SSN, driver’s license, passport and I-9.

In one recent attack, Mespinoza deployed ransomware by accessing a system
via remote desktop and running a series of batch scripts that use the
PsExec tool, a Windows telnet-replacement tool, to copy and execute the
ransomware on other systems on the network.

Although the report details how the ransomware gang operates, one thing it
does not identify is the origin of the Mespinoza gang. Surprisingly, its
origins are not the usual suspects of Russia, China, Iran, or North Korea,
but according to Cynet, the gang is associated with an unknown French
advanced persistent threat group.

“Mespinoza attacks, such as those documented in this report, highlight
multiple trends currently occurring amongst multiple ransomware threat
actors and families that clearly enable their attacks and make them easy
and simple to use in their attacks,” the report concludes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210715/ac86d9c7/attachment.html>


More information about the BreachExchange mailing list