Ransomware Profile: Mespinoza / PYSA
#1
Bug 
Quote:
[Image: MESPINOZA-PYSA.png.webp]

Mespinoza, sometimes referred to as PYSA, is a ransomware variant that primarily targets large organizations with high-value data assets. It is one of the few strains that target both Windows and Linux systems. Due to severe flaws in the Mespinoza decryptor, there is a significant risk of data corruption occurring when using the attacker-provided decryptor.

What is Mespinoza?

Mespinoza is a strain of ransomware that encrypts files and demands a large ransom for their decryption. Mespinoza is sometimes referred to as PYSA due to the .pysa file extension that new versions of the ransomware append to encrypted files.

Mespinoza is categorized as ransomware-as-a-service (RaaS), a business model used by ransomware developers in which the ransomware is leased to affiliates who can earn a portion of ransom payments in exchange for infecting systems.

Like many other ransomware groups, Mespinoza uses data exfiltration as a conversion tactic to pressure victims into paying the ransom. If the victim refuses to pay the ransom, the stolen data may then be published on Mespinoza’s leak site or sold.

Paying attackers does not guarantee safe data recovery

With any attacker-provided decryptor, there is a risk that data may be damaged during the decryption process. With Mespinoza, the risk is particularly pronounced due to the way the decryptor handles block ciphers (an encryption method that operates on blocks of data of a fixed size – in this case, 16 bytes). As a result, files may not open or may contain missing or incorrect data once they have been decrypted.

It is also important to note that paying the ransom does not guarantee the non-release of exfiltrated data. We have seen confirmed instances of Mespinoza leaking stolen data even after the victim company has paid the ransom. For these reasons, organizations that have been impacted by Mespinoza should be extremely wary of co-operating with attackers.

Emsisoft’s decryption tool can safely decrypt data encrypted by Mespinoza, provided the victim has obtained the decryption keys. The tool can also identify which data has been corrupted and can no longer be trusted. Mespinoza’s decryptor does not have the capability to identify damaged data.

The history of Mespinoza

Mespinoza was first observed in October 2019. It originally appended the .locked extension to encrypted files before shifting to using the .pysa extension in December 2019. The developers of Mespinoza have rewritten the malware several times since its release, including a .NET, C++ and Python version, each with its own quirks that can potentially damage data during decryption.

Since Mespinoza was first discovered, there have been 531 submissions to ID Ransomware, an online tool that helps the victims of ransomware identify which ransomware has encrypted their files. We estimate that only 25 percent of victims make a submission to ID Ransomware, which means there may have been a total of 2,124 Mespinoza incidents since the ransomware’s inception. During this time, the group has also published on its leak site the stolen data of at least 104 organizations.

In March 2020, the French National Agency for the Security of Information Systems issued an alert warning of a spike of Mespinoza attacks on the networks of local French government authorities.

In March 2021, the FBI issued a similar alert following a surge of Mespinoza attacks in the education sector. The alert stated that the group had targeted higher education, K-12 schools and seminaries in 12 U.S. states and the United Kingdom.

Mespinoza ransom note

After encrypting data on the compromised system, Mespinoza drops a note called Readme.README.txt in all infected directories. The note contains instructions on how to contact the attackers and threatens that the victim’s data will be leaked or sold in the event of non-payment. The ransomware also adds a reference to the system registry to display the ransom note every time the device is booted.

Below is a sample Mespinoza ransom note:
 
Quote:Hi Company,
Every byte on any types of your devices was encrypted.
Don’t try to use backups because it were encrypted too.
 
To get all your data back contact us:
[REDACTED]
[REDACTED]
 
Also, be aware that we downloaded files from your servers and in case of non-payment we will be forced to upload them on our website, and if necessary, we will sell them on the darknet.
Check out our website, we just posted there new updates for our partners: [REDACTED]
 
————–
FAQ:
1.
Q: How can I make sure you don’t fooling me?
A: You can send us 2 files (max 2mb).
 
2.
Q: What to do to get all data back?
A: Don’t restart the computer, don’t move files and write us.
 
3.
Q: What to tell my boss?
A: Protect Your System Amigo.

Who does Mespinoza target?

Mespinoza is big-game ransomware that primarily targets large organizations that are especially sensitive to data loss and/or system downtime. This includes organizations in the healthcare, government and education sectors, as well as private businesses across multiple verticals. Mespinoza is one of a handful of ransomware groups that attacks both Windows and Linux systems.
...
Continue Reading
Reply


Forum Jump:


Users browsing this thread: 2 Guest(s)
[-]
Welcome
You have to register before you can post on our site.

Username/Email:


Password:





[-]
Recent Posts
QOwnNotes 19.1.6
24.12.4 The wel...Kool — 12:56
INTEL Arc Graphics 32.0.101.6325/6253 dr...
Highlights Fix...harlan4096 — 11:06
GFYI [Official] Revo Uninstaller Pro v5...
"Share feedback...damien76 — 09:01
GFYI [Official] SpyShelter PRO v15 Chri...
Merry Christmas and ...damien76 — 08:56
GFYI [Official] IObit Christmas 2024 Bl...
Merry Christmas and ...damien76 — 08:54

[-]
Birthdays
Today's Birthdays
No birthdays today.
Upcoming Birthdays
No upcoming birthdays.

[-]
Online Staff
There are no staff members currently online.

>