Under Attack? Breach Response Hotline: Call 833.997.7327 (US/CAN)

Day 8: Mespinoza/Pysa Ransomware

Common Attack Vectors

  • Remote Desktop Protocol

Vulnerabilities Exploited

  • Linux network
  • Oracle WebLogic Server
  • Active Directory

Industries Targeted Frequently

Manufacturing

Threat actors target manufacturing facilities to disrupt product distribution.

Healthcare

Threat actors target healthcare industries to steal patients' names, financial records, social security numbers, and other personal information.

Education

Threat actors target education institutions stealing students' and employees' information including name, SSN, and addresses.

Managed Services Providers (MSPs)

Threat actors target MSPs shutting down servers and impacting customers' trust in companies.

Recent Activity

Mespinoza breached an Australian money management company, MyBudget, and posted stolen data on their leak website, causing 13 days of downtime.

Mespinoza infected the Hackney London Borough Council impacting numerous government services including systems residents used to pay rent and council tax, access housing benefit payments and process land requests. Data including passport details, staff information and photo IDs were posted on Mespinoza’s leak website

Mespinoza targeted California’s Sierra College causing it to temporarily lose access to its learning management system and taking offline the main website, and payroll systems.

Common File Extensions

.locked

.pysa

.Mespinoza

Known Alias

  • Pysa

How Mespinoza/Pysa Ransomware is Distributed

Threat actors access the target network using remote desktop protocol credentials or phishing emails. Once the network is compromised, attackers use open-source tools including Advanced Port Scanner and Advanced IP Scanner to conduct network reconnaissance establishing a strong foothold using tools like PowerShell Empire, Koadic and Mimikatz. Before beginning the encryption process, attackers exfiltrate files from the victim’s network using WinSCP tool. Stolen data can be uploaded to MEGA.NZ, cloud storage and file sharing services by uploading the data to either the MEGA website or installing the MEGA client on a compromised endpoint. Threat actors will deploy the Mespinoza ransomware encrypting files on the system using RSA-4096 and AES-256-CFB encryption. Crucial operating systems files are not encrypted as they are necessary for the ransom payment process and decrypting data process.

ShadowSpear

SpearTip’s ShadowSpear platform defends your environment with unparalleled resources preventing cybersecurity threats and attacks from affecting your business. ShadowSpear integrates with cloud, network and endpoint devices providing security. ShadowSpear prevents ransomware from exploiting memory, stopping the threat before the full attack cycle. The ShadowSpear Platform is backed by the engineers in our 24/7 Security Operations Centers, ready to assist partners with security issues immediately.