New ransomware group is attacking US firms and educational establishments

Mespinoza hacking gang hits organizations with ransom demands as high as $1.6 million

Security researchers have discovered a new ransomware group attacking US publishing, real estate, industrial manufacturing, and education organizations.

Dubbed Mespinoza, researchers at Unit 42, the cyber security consulting and threat intelligence team at Palo Alto Networks, said the gang’s website claimed to have 187 victims in various industries worldwide.

The victims are scattered across more than 20 countries, including the UK, Ireland, Spain, France, Germany, South Africa, Australia, US, Canada, and Brazil. The most targeted country was the US, according to a Mespinoza leak site, which reported 55% of victims were US organizations.

According to researchers‘ new report, the gang has hit victims with ransom demands as high as $1.6 million and received payments as high as $470,000.

The report detailed how the group operates. Researchers said the Mespinoza is highly disciplined. After accessing a new network, the group studies compromised systems in what we believe is triage to determine if there is enough valuable data to justify launching a full-scale attack. 

“They look for keywords including clandestine, fraud, social security numbers, driver’s license, passport and I-9. That suggests they are hunting for sensitive files that would have the most impact if leaked,” researchers said.

Related Resource

How to reduce the risk of phishing and ransomware

Top security concerns and tips for mitigation

Large letter 'O' against a background of a city - whitepaper from MimecastFree download

The ransomware gang also refers to victims as “partners.” That term suggests “they try to run the group as a professional enterprise and see victims as business partners who fund their profits,” said researchers. 

Mespinoza also uses a tool that creates network tunnels to siphon off data called “MagicSocks.” A component stored on their staging server and likely used to wrap up an attack is named “HappyEnd.bat.”

According to the researchers, in a recent incident, threat actors deployed the Mespinoza (also known as Pysa) ransomware by accessing a system via remote desktop and running a series of batch scripts that used the PsExec tool to copy and execute the ransomware on other systems on the network.

“Before deploying the ransomware to other systems, the actor runs PowerShell scripts on the other systems on the network to exfiltrate files of interest and to maximize the impact of the ransomware,” said researchers.

These attacks highlight current trends among multiple ransomware threat actors.

“As with other ransomware attacks, Mespinoza originates through the proverbial front door -- internet-facing RDP servers -- mitigating the need to craft phishing emails, perform social engineering, leverage software vulnerabilities or other more time-consuming and costly activities,” said researchers.

Researchers added that the gang further reduces costs by using numerous free open source tools. They will also use built-in tools that enable actors to live off the land, benefitting bottom-line expenses and profits.

Featured Resources

2021 Thales access management index: Global edition

The challenges of trusted access in a cloud-first world

Free download

Transforming higher education for the digital era

The future is yours

Free download

Building a cloud-native, hybrid-multi cloud infrastructure

Get ready for hybrid-multi cloud databases, AI, and machine learning workloads

Free download

The next biggest shopping destination is the cloud

Know why retail businesses must move to the cloud

Free Download

Recommended

Marsh McLennan reveals its cyber risk analytics center
risk management

Marsh McLennan reveals its cyber risk analytics center

15 Oct 2021
£100 contactless payment limit could place shoppers at risk, warn industry experts
Policy & legislation

£100 contactless payment limit could place shoppers at risk, warn industry experts

15 Oct 2021
Hackers used MSHTML exploit a week before patches were ready
zero-day exploit

Hackers used MSHTML exploit a week before patches were ready

14 Oct 2021
Hackers fake DocuSign and offer fraudulent signing methods
document management systems (DMS)

Hackers fake DocuSign and offer fraudulent signing methods

14 Oct 2021

Most Popular

Best Linux distros 2021
operating systems

Best Linux distros 2021

11 Oct 2021
Apple MacBook Pro 15in vs Dell XPS 15: Clash of the titans
Laptops

Apple MacBook Pro 15in vs Dell XPS 15: Clash of the titans

11 Oct 2021
Supply chain breaches impacted 97% of firms in the past year
supply chain management (SCM)

Supply chain breaches impacted 97% of firms in the past year

12 Oct 2021