How Mespinoza Ransomware Group Hits TargetsPalo Alto Networks Report Describes Tactics of Group Leveraging Open-Source Tools
The gang behind ransomware known as Mespinoza, aka PYSA, is targeting manufacturers, schools and others, mainly in the U.S. and U.K., demanding ransom payments as high as $1.6 million, according to Palo Alto Networks' Unit 42 threat intelligence team.
Mespinoza's operators compromise Remote Desktop Protocol credentials or use phishing emails to gain unauthorized access to organizations' networks. They use open-source and built-in system tools to aid in lateral movement and credential harvesting, the researchers say, based on their recent monitoring of the group's infrastructure.
As of mid-July, Mespinoza's leak site - active since at least early 2020 - contained data it says belongs to 187 victim organizations - 55% of which are within the U.S., Palo Alto Networks researchers say. Other victims have been identified in at least 20 other countries. Targeted sectors include education, manufacturing, retail, medical, government, high-tech, transportation, engineering and social services.
Palo Alto researchers say it appears the criminal group has not adopted a ransomware-as-a-service model, which is widely used by other ransomware groups, including REvil, which targeted the software firm Kaseya (see: Kaseya: Up to 1,500 Organizations Hit in Ransomware Attack).
'Double Extortion Tactics'
The researchers say Mespinoza's operators "leverage double-extortion tactics, exfiltrating data prior to deploying the ransomware [to encrypt data] so they can later threaten to leak it - and install a new backdoor we call Gasket … to maintain access to the network."
The group's "MagicSocks" tool, which uses the open-source software Chisel - often used for passing through firewalls - creates "tunnels" for continued remote access.
As with other ransomware incidents, the Mespinoza gang's attacks typically start through the proverbial front door - internet-facing RDP servers - reducing the need to craft phishing emails, perform social engineering, leverage software vulnerabilities or "other more time-consuming and costly activities," the researchers say. Internet-connected RDP servers can be easily identified through automated scanning, they warn.
By using free, open-source tools, or built-in systems, the Mespinoza gang is equipped to maximize its return on investment, Palo Alto Networks says.
In a March alert, the FBI highlighted a surge in PYSA ransomware attacks targeting educational institutions in the U.S. and U.K.
"The unidentified cyber actors have specifically targeted higher education, K-12 schools and seminaries," the FBI wrote.
According to its new report, Palo Alto Networks monitored the group's infrastructure - including its command-and-control server used to manage attacks and its "name and shame" site for listing uncooperative victims.
The researchers call the Mespinoza gang "extremely disciplined," noting that after gaining network access, the group triages compromised systems in search of valuable data to justify a full-scale attack. In its hunt for sensitive files, operators use keywords such as "clandestine," "fraud," "ssn," "driver*license," "passport" and "I-9."
Ransom note language also suggests the threat actors portray the campaign as a "professional" endeavor - calling victims "partners," researchers say.
A tool stored on the group's staging server - called "HappyEnd.bat" - is likely used to finalize an attack, Palo Alto Networks reports.
Based on its tactics, the Mespinoza gang may have limited resources, says Frank Downs, former offensive analyst for the U.S. National Security Agency.
"The efficacy of open-source tools is up for debate - as they are usually used by organizations with a limited budget," he says. "These criminals may have more time than money when planning and executing their attacks."
Downs, who now serves as a director at the security firm BlueVoyant, says that while open-source tools are free, they usually are not nearly as user-friendly as other options.
To thwart Mespinoza attacks, Downs recommends that organizations strengthen vulnerable RDP servers using nondefault passwords and multifactor authentication, along with additional protective controls, such as nontraditional port assignments and IP filters.
A recent report published by France's National Agency for the Security of Information Systems said threat actors were delivering a payload similar to PYSA, written with the programming language Go, which was determined to be an earlier, unobfuscated version. Experts say the backdoor was written in Go-lang and used the open-source tool Gobfuscate to conceal its payload.
Palo Alto Networks says one recent Mespinoza incident used a similar approach - accessing a system via remote desktop, running a series of batch scripts and using the PsExec tool to copy and execute ransomware on other systems on the network. Operators ran PowerShell scripts to exfiltrate files of interest and maximize the impact of the attack.