Threat actors are deploying the Mespinoza/ PYSA ransomware by accessing a system via remote desktop to copy and execute the ransomware on other systems on the network. Before deploying the ransomware to other systems, the attacker runs PowerShell scripts on the other systems on the network to exfiltrate files of interest and to maximize the impact of the ransomware.
▪ Mespinoza ransomware also known as PYSA, is capable of exfiltrating data and encrypting users’ important files and data stored on their systems.
▪ Mespinoza/PYSA operators leverage double-extortion tactics as they exfiltrate data prior to deploying the ransomware so they can later threaten to leak it. The attackers also install a backdoor named Gasket to maintain access to the network.
▪ Gasket enables a capability called “MagicSocks,” which uses the open-source Chisel project to create tunnels for continued remote access to the network. Figure 1: Mespinoza/ PYSA leak site
▪ Threat actors gather and exfiltrate sensitive files that would have the most impact on the organization. The ransomware encrypted files include the sub-strings “secret,” “fraud” and “SWIFT.”
▪ The ransomware enumerates the file system and encrypts files with an asymmetric cipher, renames the files with a specific extension and displays a ransom message.
▪ Prior to deploying Mespinoza, the attackers run a PowerShell script that would exfiltrate potentially sensitive files from the compromised network as either a double-extortion attempt or to increase leverage in ransom payment negotiations.