Palo Alto researchers have detected a hacker group that targets organizations that have sensitive information about illegal activities and uses it as leverage to extort money from the victims.
The Mespinoza ransomware group aka PYSA is known to demand large sums of money for its decryptor keys while threatening to publish sensitive information from compromised networks.
Mespinoza mostly targets US corporations in manufacturing, retail, engineering, and education sectors and government institutions.
Palo Alto Networks has analyzed the Mespinoza group and described it as an “extremely disciplined” and organized criminal group. Researchers note that the group tries to find evidence of illegal activity and some other sensitive information to use for blackmailing in its double extortion schemes.
Like many groups, Mespinoza starts by securing a foothold in networks by tempering with the remote desktop protocol (RDPR) systems. They then proceeded to steal credentials in order to access systems through either brute force or phishing attacks.
Researchers also have seen it deploying an additional payload to maintain persistence in hacked networks. It does so by planting a “backdoor” that’s based on the code of the Gasket malware.
The ability to maintain persistence allows attackers to collect valuable details about the network and its users.
“They search using sensitive terms such as illegal, fraud, and criminal. In other words, the actors are also interested in illegal activities known to the organisation that could provide extreme leverage should a negotiation start,” said Alex Hinchliffe, threat intelligence analyst for Unit 42 at Palo Alto Networks.
The group is willing to negotiate with victims in exchange for a key to prevent the release of stolen information. Hackers initially demand over $1.5 million in ransoms, but then the price can go down significantly.
The group started operating in April 2020, just as the global pandemic started to affect many organizations. Mespinoza is not as notorious as some other ransomware groups, but its success suggests that it’s actively progressing.
“They’re relatively new but making a large impact given the number of victims listed on their leak site, and likely making a lot of money from their extortion,” said Hinchliffe.
It’s likely that they’ll continue targeting organisations that have unsecured RDP.
“Organisations need to know more about their attack surface area because without knowing their footprint, especially the internet-connected part, it’s almost impossible to see what’s happening, let alone defend against it,” said Hinchliffe. Far too many organisations have services such as a RDP exposed to the internet and are exposing themselves to the risk of remotely launched attacks, negating the need from the threat actor to create and deliver phishing attacks at much higher cost to them,” Hinchliffe added.