Search This Blog

Palo Alto Networks' Unit 42 Publishes Report on Mespinoza Group

Researchers termed the Group, "cocky" but "creative".


Unit 42 of Palo Alto Networks has examined the Mespinoza gang's latest techniques and practices in identifying its 'cocky' message and its instruments endowed with 'creative names' – but has shown no evidence suggesting that the group has changed to ransomware-as-a-service. 

Mespinoza attacks mostly, demonstrate various trends between different actors and families threatened with ransomware, which make their attacks simple and easy to use. 

The report researchers explained, "As with other ransomware attacks, Mespinoza originates through the proverbial front door – internet-facing RDP servers – mitigating the need to craft phishing emails, perform social engineering, leverage software vulnerabilities or other more time-consuming and costly activities. Further costs are saved through the use of numerous open-source tools available online for free, or through the use of built-in tools enabling actors to live off the land, all of which benefits bottom-line expenses and profits." 

Although the MESPINOZA organization has not been as active as the more popular REvil, still its operations have achieved great success: the examination of Unit 42, revealed that victims pay up to $470,000 each for decryption of files, mainly from targets in the US and UK - including a Hackney Council attack last October.

After a victim is in their sight, they may rapidly and accurately proceed from breach to exfiltration to ransomware. One scenario, by no means the quickest, lasted less than three days from breaking the RDP network through network recognition and credential collection, and on the second day the required data were exfiltrated and the ransomware deployed on the third day. 

"Through the use of various open-source tools - mostly designed for use by sysadmins and pen-testers - the Mespinoza actors can move around the network with ease, looking for high-value data for maximum leverage as they go, and staging the latter parts of their attack to encrypt as many systems as possible," stated Alex Hinchliffe, threat intelligence analyst at Unit 42. 

The group has primarily mostly targeted the manufacturers, retailers and medical sector, and the education sector. Unit 42 research also revealed evidence that the Mespinoza Group's previous reports followed in the footsteps of REvil and offered Ransomware-as-a-services.

Communication from the group described as "cocky," by the researchers, could have been mistaken in this respect. Researchers have concluded, "Victim organizations are referred to as 'partners,'" the researchers found. "Use of that term suggests that they try to run the group as a professional enterprise and see victims as business partners who fund their profits." 

"Generally speaking RDP and other remote administration tools have become a high-value target for many cybercriminals and nation-state adversaries because of how simple it is to find them," Hinchliffe told. 

"There's no reason to expose RDP directly to the public internet in this day and age," security researcher Tom Hudson told The Register of the all-too-familiar entry point for Mespinoza's attacks. "If you need RDP access over the internet you should be requiring the use of a VPN with multi-factor authentication enforced." 

While Mespinoza may not be above the copying victims lists of other malware groups, it is evident that its tools are named in another area. The report further notes that a tool for building network tunnels is dubbed 'MagicalSocks.' A component saved on its server is probably called 'HappyEnd.bat.' This is probably used to encapsulate an attack.
Share it:

Cyber Security

Mespinoza group

Palo Alto Networks' Unit 42

Ransomware attack