Cynet Ransomware Report: Mespinoza

Mespinoza Threat Overview

Mespinoza was first discovered in October 2019, but its first real large-scale campaign came a year later, in October 2020. Mespinoza (or Pysa) is associated with an unknown French APT group and was successfully deployed in an attack when the group claimed responsibility for a cyberattack on the East London Hackney Council – the local government authority for Borough of Hackney. The Council houses sensitive citizen information and is the billing authority for taxes.

According to security researchers, Mespinoza has successfully stolen important data such as passports, rent bills, crew data, and intelligence information on the security community. The data stolen in successful Mespinoza/Pysa attacks has been leaked on public-facing websites.

Mespinoza or Pysa holds a Python variant of the ransomware that can easily be executed using a Python interpreter.

Unlike other ransomware, Pysa does not delete shadow copies before encryption, which means that backups will provide a viable countermeasure to remediate the attack.

Static Analysis

The file’s magic bytes indicate that the file is Portable Executable for Microsoft Windows.

Meta-Data

Additional names:

First, we verify that the file is an executable and not packed before dynamically analyzing it.

Next, we review the static strings and imports of the file that indicate where to look when dynamically executing:

• “RegSetValueEx” – Sets a value under a registry key, can be used to create persistency.
• “ShellExecute” – Executes shell commands on a specified file.
• “GetSystemTimeAsFileTime” – Retrieves the current system date and time can be used to indicate the location for the endpoint.
• “CryptGenRandom” – Windows function in CryptoAPI generates random numbers, the algorithm of this function was never published so it is not recommended to use, this API is deprecated.

Dynamic Analysis & Attack Flow

Mespinoza.exe spawns a command-line child process “ShellExecute”, as we suspected from the static analysis.

This command will execute the batch file.

Attack Flow

Functionality and Behavior

Much like other ransomware variants, Mespinoza produces two separate lists.

The first list is the whitelist, or the exclude list. These paths will be excluded from the encryption process to allow the victim access to the payment process and the data decryption. The malware won’t encrypt crucial files for the operating system, but will focus on the important data saved on the endpoint.

Exclude:

The second list is the blacklist. This list contains extensions that the malware will target for encryption by adding to the original extension a .pysa extension with encryption. These files won’t be accessible to the user without the decryption key.

BlackList:

Found in the memory strings

Among the first files that the malware encrypts are the debugging tools that exist in the operating system, adding a .pysa extension. This technique can be used by the authors of ransomware to avoid analysis, thus extending the life of the ransomware attack.

Ransomware Note

The ransomware note usually contains instructions about payment information and consequences if the instructions are not followed.

In every path that the malware encrypts files, a “Readme” note is dropped to the same path.

The ransomware note contains instructions on how to decrypt the data along with email and domain contact details.

Sample Mespinoza or Pysa note:

Persistency Technique

The purpose of the persistency technique used by the malware is to ensure that the processes will remain able to communicate and that the attack will be completed even if it is interrupted (which means the malware will continue running in the backgrouond even after rebooting and logging back in). This technique could be implemented via known common methods such as Registry Keys, Schedule Task, DLLs Applications, Startup Folders, Process Injections, etc.

In this case, we are witnessing the persistence of the ransomware note.

Changing values on the following registry key using the API call “RegSetValueEx”

SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

These registry keys are responsible for displaying messages during the Windows startup.

After rebooting the system we receive the following message:

Cleaning Tracks

The next step of the attack is to clean the malware’s tracks. Mespinoza creates a batch script file that is executed in the last phase of the attack.

The batch file is created in the following path:

“C:\Users\user\AppData\Local\Temp\update.bat”

Data – Leaked Site

Example of data leaked on a public-facing website is shown below.

Cynet VS Mespinoza

Cynet 360 protects your environment against this type of attack by detecting and preventing it from executing its malicious activities on hosts where the Cynet agent is deployed.

Note that our environment action is set to alert only, so as not to interrupt the Mespinoza ransomware flow. This lets Cynet detect every step of the attack.

The attack flow is detected using several detection mechanisms:

Malicious binary – Cynet detects a file that is flagged as malicious in Cynet’s EPS (endpoint scanner) built-in threat intelligence database. This database contains only critical IOCs (such as IOCs of ransomware, hacking tools, etc.).

Attempt to Run – Cynet’s AV/AI engine detects a malicious file that was loaded into memory.

File Dumped on the Disk – Cynet’s AV/AI engine detects a malicious file that was dumped on the disk.

Memory Pattern – Cynet detects when a file is loaded into memory and runs unique memory strings associated with the malware.

Ransomware Heuristic – Cynet detects suspicious behavior which can be associated with Ransomware (such as changing file extensions to “.Lock”).

Additionally, in many cases we have observed a pattern where ransomware targets vssadmin.

Advanced Detection Technology – Cynet detects execution of a command related to vssadmin activity. Vssadmin can be used to delete all the backups on the hosts and can be related to ransomware activity.

(Not related to the sample investigation.)

Ransomware Prevention Recommendations

• Backup your data on a routine.
  • At least one offline backup.
• Check for email attachment reliability.
• Never open links that are not familiar to you with your device.
• Avoid handing personal information when not necessary.
• Download only from trusted sites.
• Never pay the ransom.

Learn more in our detailed guide to ransomware prevention.

Learn more in our detailed guide to anti ransomware.

Remediation Recommendations

• Use Cynet’s built-in remediation option to disconnect the HOST from the network. (isolation)
• Block the traffic to the malicious domain mentioned
  • Wqmfzni2nvbbpk25.onion/
• Block the mentioned emails.
  • [email protected]
  • [email protected]
  • [email protected]
• Delete the malicious files if they exist.
• Run a scan using Cynet for suspicious or malicious indicators.
• Check for odd scheduled tasks recently added.
• Check for new startup applications/softwares/services.
• Restore files from backup if exist.
• Investigate incidents according to the organization’s policy.
• If necessary, re-image the endpoint.

Indicators Of Compromise

Contact Cynet CyOps (Cynet Security Operations Center)

The Cynet CyOps team is available to clients 24×7 for any issues, questions, or comments related to Cynet 360. For additional information, you may contact us directly at:

CyOps Mailbox – [email protected]

CyOps Team Leader – [email protected]

CyOps Manager – [email protected]

Israel +972 72-3369736

UK +44 2032 909051

US +1 (347) 474-0048