Go to listing page

Mespinoza Group Uses Unique Tools to Target Organizations

Mespinoza Group Uses Unique Tools to Target Organizations
Palo Alto Networks' Unit 42 provides details about the methods and tactics employed by the Mespinoza ransomware group that has been targeting multiple sectors across the globe with a focus on the education sector. The report has revealed that the group possesses bold messaging skills and its tools have unique names.

What was observed?

The Mespinoza (Pysa) ransomware gang has been targeting multiple sectors in the U.S. such as publishing, real estate, manufacturing, and education, with a significantly high ransom demand at $1.6 million and payments at $470,000.
  • The group looks into the compromised systems for valuable or sensitive information.
  • Surprisingly, attackers label their victim organizations as partners. Experts suggest it might be because they see victims as business partners who fund their profits.
  • Most of the victims have been observed in the U.S. (55%) with the spread worldwide in more than 20 countries. To name a few - Canada, Brazil, Spain, the U.K, Italy, France, South Africa, Australia, and Germany.
  • The group uses a tool dubbed MagicSocks to create network tunnels with the purpose of stealing data. Additionally, a component named HappyEnd[.]bat is saved on the staging server to finish an attack.

Interesting insights

The ransomware group is more focused on the education sector than any other sector. It is observed to be least interested in targeting charities, defense organizations, and religious groups.
  • The ransomware group carries out the initial access via public-facing RDP servers.
  • Once a target is hacked, the group shows high discipline in its further approach and performs a thorough analysis of the victim machine to check for valuable data.
  • Further, the attackers use double-extortion tactics and install the Gasket backdoor.

Conclusion

The recent report provides useful information regarding the Mespinoza ransomware group and its targets. Moreover, the ransomware gang used some additional tools and deployed a backdoor after gaining access to targeted networks. Using such artifacts, security professionals can keep an eye on the latest trends and update their defense strategies accordingly.

Cyware Publisher

Publisher

Cyware