Strange Ransom Threat Actor Seeks Unusual Victims
The Mespinoza ransomware gang, also going by the alias of PYSA, have come in the spotlight for their unusual approach to their operations.
The group infiltrates networks the way most other ransomware outfits do, but once inside, Mespinoza hackers search for documentation, files or other evidence that might imply the victim of the hack is somehow aware of illegal activities. The group then uses this information as leverage to extort exorbitant amounts of ransom money from its victims.
Mespinoza have been called an "extremely disciplined" ransomware gang by researchers working with Palo Alto Networks. The report by Palo Alto's Unit42 focuses on the ever-shifting tactics that ransomware threat actors employ in their ongoing search for illegal profit.
Mespinoza have been on the radar of the infosec community for some time now. The group got big enough that the FBI published an alert specifically about them in March 2021. The report came in the wake of attacks on US educational institutions, including religious seminaries, as well as similar attacks targeting UK institutions.
Once Mespinoza breaches a network, they start searching for very specific terms and keywords and if those are found, the hackers launch the full-blown ransomware attack, encrypting the network and asking for huge ransoms, often in the millions. Mespinoza would search for words such as "fraud" or "driver license" - just two examples published by Palo Alto.
The group also likes to refer to its ransomware victims as its "partners". Whether this is just for show, or Mespinoza believes this is some kind of social engineering trick to get the victims to cooperate is not too clear.
Entities targeted by the Mespinoza hackers are located all over the world. The group has hit victims in continental Europe, Brazil, South Africa and Australia. The full list, according to Palo Alto's report, includes a total of 20 countries. The overwhelming majority of victims are located in the US.
While Mespinoza are no DarkSide group or REvil gang, the fact that they have scored so many attacks and have been specifically focused in an FBI report shows that the group is successful. There is no hard information about where Mespinoza is located either.