Report sheds light on ‘cocky’ but ‘creative’ Mespinoza ransomware group

Palo Alto Networks’ Unit 42 has probed the methods and tactics of the Mespinoza ransomware group, finding its messaging “cocky” and its tools blessed with “creative names” – but turned up no evidence to suggest the group has shifted to ransomware-as-a-service.

“Mespinoza attacks, such as those documented in this report, highlight multiple trends currently occurring amongst multiple ransomware threat actors and families that clearly enable their attacks, and make them easy and simple to use,” the report researchers explained.

“As with other ransomware attacks, Mespinoza originates through the proverbial front door – internet-facing RDP servers – mitigating the need to craft phishing emails, perform social engineering, leverage software vulnerabilities or other more time-consuming and costly activities. Further costs are saved through the use of numerous open-source tools available online for free, or through the use of built-in tools enabling actors to live off the land, all of which benefits bottom line expenses and profits.”

The Mespinoza group, while not as prolific as the better-known REvil, has enjoyed considerable success from its activities: Unit 42’s investigation showed victims paying up to $470,000 per incident to unlock their files, primarily from targets in the US and UK – including an attack on Hackney Council in October last year.

Alex Hinchliffe, threat intelligence analyst at Unit 42 and one of the report’s authors, told The Register that the “surgical nature” of the atacks investigated came as a surprise. “Sadly this isn’t limited to just Mespinoza, but also other groups of late,” he explained.

“Once they have a victim in their sights, they can go from breach to exfiltration to ransomware quite quickly and with precision. One case, which was by no means the fastest, took less than three days from breaching the network over RDP to network reconnaissance and credential harvesting to exfiltrating relevant data on the second day and deploying the ransomware on the third day.

“Much of this comes down to good tooling, the second thing that surprised me,” Hinchliffe continued. “Through the use of various open-source tools – mostly designed for use by sysadmins and pen-testers – the Mespinoza actors are able to move around the network with ease, looking for high-value data for maximum leverage as they go, and staging the latter parts of their attack to encrypt as many systems as possible.”

The group was found to target the education sector more than any other, with manufacturing, retail, and medical trailing behind. While the presence of the latter in the target list may suggest a particular lack of moral fibre, the group was found least likely to target charities, defence organisations, and religious groups – though whether out of respect for their work or an understanding that bigger payouts can be had elsewhere was not clear.

Any such rule on targeting charities may also enjoy considerable flexibility: the group, also known as “Pysa,” had been put forward as potentially responsible for an attack on the Salvation Army.

Unit 42’s investigation also turned up evidence to suggest earlier reports the Mespinoza group was following in REvil’s footsteps and offering ransomware-as-a-service are wrong-footed. “We have not observed this behaviour from the group,” the report explained, “based on the ransomware cases we’ve investigated.”

The group’s communications, described by the researchers as “cocky,” may have misled on that front. “Victim organisations are referred to as ‘partners,'” the researchers found. “Use of that term suggests that they try to run the group as a professional enterprise and see victims as business partners who fund their profits.”

As with the tactics highlighted in Unit 42’s earlier analysis of the REvil ransomware group, Mespinoza’s entry point into targets is depressingly simple: public-facing Remote Desktop Protocol (RDP) servers. Once a target is compromised, the group is “extremely disciplined” in its approach, the report claimed.

“After accessing a new network,” the researchers found, “the group studies compromised systems in what we believe is triage to determine whether there’s enough valuable data to justify launching a full-scale attack. They look for keywords including ‘clandestine’, ‘fraud’, ‘ssn’, ‘driver*license’, ‘passport’ and ‘I-9’. That suggests they are hunting for sensitive files that would have the most impact if leaked.”

“Generally speaking RDP and other remote administration tools have become a high-value target for many cybercriminals and nation-state adversaries because of how simple it is to find them,” Hinchliffe told us. “Using commercial or home-grown internet scanners coupled with the fact the internet can now be scanned in a matter of minutes, by anyone, means that anyone and any service is a potential target.”

“There’s really no reason to expose RDP directly to the public internet in this day and age,” security researcher Tom Hudson told The Register of the all-too-familiar entry point for Mespinoza’s attacks. “If you need RDP access over the internet you should be requiring the use of a VPN with multi-factor authentication enforced.”

A full list of files targeted for infiltration, found using a PowerShell script running on a compromised system, suggests that the group could not only double-dip on the ransom front but also blackmail companies with their own dirty laundry: as well as “clandestine” and “fraud” the list includes “illegal”, “secret”, “concealed”, “criminal”, and “compromate” – the latter an apparent misspelling of “kompromat,” the Russian word for compromising material gathered on a person or business for reasons of blackmail, previously seen in the PyXie malware.

While Mespinoza might not be above copying target lists from other malware groups, it shows apparent originality in another area: naming its tools. “A tool that creates network tunnels to siphon off data is called ‘MagicSocks’,” the report noted. “A component stored on their staging server and likely used to wrap up an attack is named ‘HappyEnd.bat’.”

The full report is available from the Unit 42 website. ®