Ransomware Profile: Mespinoza / PYSA

Mespinoza, sometimes referred to as PYSA, is a ransomware variant that primarily targets large organizations with high-value data assets. It is one of the few strains that target both Windows and Linux systems. Due to severe flaws in the Mespinoza decryptor, there is a significant risk of data corruption occurring when using the attacker-provided decryptor.

What is Mespinoza?

Mespinoza is a strain of ransomware that encrypts files and demands a large ransom for their decryption. Mespinoza is sometimes referred to as PYSA due to the .pysa file extension that new versions of the ransomware append to encrypted files.

Mespinoza is categorized as ransomware-as-a-service (RaaS), a business model used by ransomware developers in which the ransomware is leased to affiliates who can earn a portion of ransom payments in exchange for infecting systems.

Like many other ransomware groups, Mespinoza uses data exfiltration as a conversion tactic to pressure victims into paying the ransom. If the victim refuses to pay the ransom, the stolen data may then be published on Mespinoza’s leak site or sold.

Paying attackers does not guarantee safe data recovery

With any attacker-provided decryptor, there is a risk that data may be damaged during the decryption process. With Mespinoza, the risk is particularly pronounced due to the way the decryptor handles block ciphers (an encryption method that operates on blocks of data of a fixed size – in this case, 16 bytes). As a result, files may not open or may contain missing or incorrect data once they have been decrypted.

It is also important to note that paying the ransom does not guarantee the non-release of exfiltrated data. We have seen confirmed instances of Mespinoza leaking stolen data even after the victim company has paid the ransom. For these reasons, organizations that have been impacted by Mespinoza should be extremely wary of co-operating with attackers.

Emsisoft’s decryption tool can safely decrypt data encrypted by Mespinoza, provided the victim has obtained the decryption keys. The tool can also identify which data has been corrupted and can no longer be trusted. Mespinoza’s decryptor does not have the capability to identify damaged data.

The history of Mespinoza

Mespinoza was first observed in October 2019. It originally appended the .locked extension to encrypted files before shifting to using the .pysa extension in December 2019. The developers of Mespinoza have rewritten the malware several times since its release, including a .NET, C++ and Python version, each with its own quirks that can potentially damage data during decryption.

Since Mespinoza was first discovered, there have been 531 submissions to ID Ransomware, an online tool that helps the victims of ransomware identify which ransomware has encrypted their files. We estimate that only 25 percent of victims make a submission to ID Ransomware, which means there may have been a total of 2,124 Mespinoza incidents since the ransomware’s inception. During this time, the group has also published on its leak site the stolen data of at least 104 organizations.

In March 2020, the French National Agency for the Security of Information Systems issued an alert warning of a spike of Mespinoza attacks on the networks of local French government authorities.

In March 2021, the FBI issued a similar alert following a surge of Mespinoza attacks in the education sector. The alert stated that the group had targeted higher education, K-12 schools and seminaries in 12 U.S. states and the United Kingdom.

Mespinoza ransom note

After encrypting data on the compromised system, Mespinoza drops a note called Readme.README.txt in all infected directories. The note contains instructions on how to contact the attackers and threatens that the victim’s data will be leaked or sold in the event of non-payment. The ransomware also adds a reference to the system registry to display the ransom note every time the device is booted.

Below is a sample Mespinoza ransom note:

Hi Company,

Every byte on any types of your devices was encrypted.

Don’t try to use backups because it were encrypted too.

 

To get all your data back contact us:

[REDACTED]

[REDACTED]

 

Also, be aware that we downloaded files from your servers and in case of non-payment we will be forced to upload them on our website, and if necessary, we will sell them on the darknet.

Check out our website, we just posted there new updates for our partners: [REDACTED]

 

————–

FAQ:

1.

Q: How can I make sure you don’t fooling me?

A: You can send us 2 files (max 2mb).

 

2.

Q: What to do to get all data back?

A: Don’t restart the computer, don’t move files and write us.

 

3.

Q: What to tell my boss?

A: Protect Your System Amigo.

Who does Mespinoza target?

Mespinoza is big-game ransomware that primarily targets large organizations that are especially sensitive to data loss and/or system downtime. This includes organizations in the healthcare, government and education sectors, as well as private businesses across multiple verticals. Mespinoza is one of a handful of ransomware groups that attacks both Windows and Linux systems.

How does Mespinoza spread?

Threat actors typically gain access to the target network via compromised remote desktop protocol credentials or phishing emails. After the network has been compromised, attackers use open source tools like Advanced Port Scanner and Advanced IP Scanner to perform network reconnaissance, and establish a stronger foothold through the use of tools like PowerShell Empire, Koadic and Mimikatz. Unlike some other ransomware families, Mespinoza does not delete shadow copies before decryption.

Prior to encryption, attackers exfiltrate files from the victim’s network using tools such as WinSCP. Stolen data may also be uploaded to MEGA.NZ, cloud storage and file sharing service, either by uploading the data through the MEGA website or by installing the MEGA client on a compromised endpoint.

Threat actors then deploy the ransomware, which encrypts most files on the system using RSA-4096 and AES-256-CFB encryption. The ransomware does not encrypt crucial operating systems files that are necessary for the victim to process the ransom payment and decrypt data.

As Mespinoza operates as a RaaS and can be distributed by many different affiliates, the exact anatomy of an attack can vary from incident to incident.

Major Mespinoza attacks

How to protect the network from Mespinoza and other ransomware

The following practices may help organizations reduce the risk of a Mespinoza incident.

How to remove Mespinoza and other ransomware

Mespinoza uses encryption methods that currently make it impossible to decrypt data without paying for an attacker-supplied decryption tool.

Victims of Mespinoza should be prepared to restore their systems from backups, using processes that should be defined in the organization’s incident response plan. The following actions are recommended:

Emsisoft Endpoint Protection: Award-Winning Security Made Simple

Experience effortless next-gen technology. Start Free Trial

 

Emsisoft Malware Lab

Emsisoft Malware Lab

The Lab team is a group of cybersecurity researchers whose mission is to enhance protection in Emsisoft products, help organizations respond to security incidents and create analysis that helps decision-makers understand the threat landscape.

What to read next