Mespinoza (also known as PYSA) ransomware operators attack organizations around the world and search computer systems for confidential information and files associated with the victims’ illegal activities. The cybercriminals use this information as additional leverage in the extortion of a ransom.
Criminals demand millions of dollars in exchange for a decryption key and threaten to publish confidential information stolen from a compromised network if victims don’t pay. Companies around the world have been targeted by Mespinoza attacks, but most are in the United States, including manufacturing, retail, engineering, educational institutions and government agencies.
According to experts from Palo Alto Networks, Mespinoza is a “highly disciplined” group that actively seeks evidence of illegal activity, as well as other confidential information to blackmail victims. Mespinoza infiltrates victim systems by hacking RDP connections. It is not known whether attackers use brute force or phishing attacks to steal credentials, but legitimate credentials can go undetected for longer.
The group also installs a backdoor called Gasket on the victim’s system. The backdoor, in turn, has a MagicSocks feature that uses open source tools to provide constant remote access to the network. Thus, criminals ensure their persistence in the system.
Catch up on more articles here
Follow us on Twitter here