Mespinoza ransomware gang flies under the radar while ramping up attacks

A new report from Palo Alto Networks Inc.’s Unit 42 released today details a prolific ransomware gang that has mostly gone under the radar amid attacks from better-known groups such as REvil, DarkSide and Ragnar Locker.

Called Mespinoza, the ransomware gang uses what the Palo Alto researchers describe as “whimsical terms” to name its hacking tools. The gang calls its victims “partners” and attacks with tools called “Gasket” and “MagicSocks,” while on its staging server, a file is named “HappyEnd.bat.”

Mespinoza has been found to be targeting education, manufacturing, retail, medical, government, high-tech, transportation and logistics, engineering and social services, among others. Ransom demands have been as high as $1.6 million, with payments as high as $470,000.

The increasing activity by the ransomware gang, also known as PYSA, has drawn the attention of the U.S. Federal Bureau of Investigation. The FBI published a warning in March that the group was targeting education institutions in 12 U.S. and the U.K., but its target scope has broadened since.

Mespinoza targets many industries, with the gang’s leak site providing data it claims to belong to 187 victim organizations. Some 55% of victims identified on the leak site are from the U.S., while the rest are across 20 countries, including Canada, Brazil, U.K., Italy, Spain, France, Germany, South Africa and Australia.

The group is described as being extremely disciplined. After accessing a new network, the group studies systems in what the researchers believe is a triage to determine whether there’s enough valuable data to justify launching a full-scale attack. Suggesting that the gang looks for high-impact data, Mespinoza searches for terms including clandestine, fraud, SSN, driver’s license, passport and I-9. 

In one recent attack, Mespinoza deployed ransomware by accessing a system via remote desktop and running a series of batch scripts that use the PsExec tool, a Windows telnet-replacement tool, to copy and execute the ransomware on other systems on the network. 

Although the report details how the ransomware gang operates, one thing it does not identify is the origin of the Mespinoza gang. Surprisingly, its origins are not the usual suspects of Russia, China, Iran, or North Korea, but according to Cynet, the gang is associated with an unknown French advanced persistent threat group.  

“Mespinoza attacks, such as those documented in this report, highlight multiple trends currently occurring amongst multiple ransomware threat actors and families that clearly enable their attacks and make them easy and simple to use in their attacks,” the report concludds.

Image: Palo Alto Networks