SYMBOLCOMMON_NAMEaka. SYNONYMS
win.mespinoza (Back to overview)

Mespinoza

aka: pysa
VTCollection    

Mespinosa is a ransomware which encrypts file using an asymmetric encryption and adds .pysa as file extension. According to dissectingmalware the extension "pysa" is probably derived from the Zanzibari Coin with the same name.

References
2022-06-23KasperskyDanila Nasonov, Natalya Shornikova, Nikita Nazarov, Vasily Davydov, Vladislav Burtsev
The hateful eight: Kaspersky’s guide to modern ransomware groups’ TTPs
Conti Hive BlackByte BlackCat Clop LockBit Mespinoza Ragnarok
2022-06-23KasperskyDanila Nasonov, Natalya Shornikova, Nikita Nazarov, Vasily Davydov, Vladislav Burtsev
The hateful eight: Kaspersky’s guide to modern ransomware groups’ TTPs (Download Form)
BlackByte BlackCat Clop Conti Hive LockBit Mespinoza RagnarLocker
2022-04-18SentinelOneJames Haughom
From the Front Lines | Peering into A PYSA Ransomware Attack
Chisel Chisel Cobalt Strike Mespinoza
2022-04-14PRODAFT Threat IntelligencePRODAFT
PYSA (Mespinoza) In-Depth Analysis
Mespinoza
2022-04-13PRODAFT Threat IntelligencePRODAFT
[PYSA] Ransomware Group In-Depth Analysis
Mespinoza
2022-03-23splunkShannon Davis
Gone in 52 Seconds…and 42 Minutes: A Comparative Analysis of Ransomware Encryption Speed
Avaddon Babuk BlackMatter Conti DarkSide LockBit Maze Mespinoza REvil Ryuk
2022-03-16SymantecSymantec Threat Hunter Team
The Ransomware Threat Landscape: What to Expect in 2022
AvosLocker BlackCat BlackMatter Conti DarkSide DoppelPaymer Emotet Hive Karma Mespinoza Nemty Squirrelwaffle VegaLocker WastedLocker Yanluowang Zeppelin
2022-02-23splunkShannon Davis, SURGe
An Empirically Comparative Analysis of Ransomware Binaries
Avaddon Babuk BlackMatter Conti DarkSide LockBit Maze Mespinoza REvil Ryuk
2022-01-06Health Sector Cybersecurity Coordination Center (HC3)Health Sector Cybersecurity Coordination Center (HC3)
Mespinoza/GoldBurlap/CYBORG SPIDER
Mespinoza GOLD BURLAP
2021-11-29cybleCyble
Pysa Ransomware Under the Lens: A Deep-Dive Analysis
Mespinoza
2021-11-05Twitter (@inversecos)inversecos
TTPs used by Pysa Ransonmware group
Mespinoza MimiKatz
2021-09-27CybereasonAleksandar Milenkoski
Threat Analysis Report: Inside the Destructive PYSA Ransomware
Mespinoza
2021-09-09Lacework LabsLacework Labs
PYSA Ransomware Gang adds Linux Support
Mespinoza
2021-08-24Bleeping ComputerLawrence Abrams
Ransomware gang's script shows exactly the files they're after
Mespinoza
2021-07-15Palo Alto Networks Unit 42Alex Hinchliffe, Quinn Cooke, Robert Falcone
Mespinoza Ransomware Gang Calls Victims “Partners,” Attacks with Gasket, "MagicSocks" Tools
Gasket Mespinoza
2021-06-23BlackberryBlackBerry Research and Intelligence team
PYSA Loves ChaChi: a New GoLang RAT
ChaChi Mespinoza
2021-05-10DarkTracerDarkTracer
Intelligence Report on Ransomware Gangs on the DarkWeb: List of victim organizations attacked by ransomware gangs released on the DarkWeb
RansomEXX Avaddon Babuk Clop Conti Cuba DarkSide DoppelPaymer Egregor Hades LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker Nefilim Nemty Pay2Key PwndLocker RagnarLocker Ragnarok RansomEXX REvil Sekhmet SunCrypt ThunderX
2021-05-06Cyborg SecurityBrandon Denker
Ransomware: Hunting for Inhibiting System Backup or Recovery
Avaddon Conti DarkSide LockBit Mailto Maze Mespinoza Nemty PwndLocker RagnarLocker RansomEXX REvil Ryuk Snatch ThunderX
2021-04-25Vulnerability.ch BlogCorsin Camichel
Ransomware and Data Leak Site Publication Time Analysis
Avaddon Babuk Clop Conti DarkSide DoppelPaymer Mespinoza Nefilim REvil
2021-03-16FBIFBI
Alert Number CP-000142-MW: Increase in PYSA Ransomware Targeting Education Institutions
Mespinoza
2021-02-23CrowdStrikeCrowdStrike
2021 Global Threat Report
RansomEXX Amadey Anchor Avaddon BazarBackdoor Clop Cobalt Strike Conti Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet ShadowPad SmokeLoader Snake SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader Evilnum OUTLAW SPIDER RIDDLE SPIDER SOLAR SPIDER VIKING SPIDER
2021-01-07Twitter (@campuscodi)Catalin Cimpanu
Tweet on London's Hackney Council attacked by Pysa/Mespinoza ransomware
Mespinoza
2021-01-01SecureworksSecureWorks
Threat Profile: GOLD BURLAP
Empire Downloader Mespinoza MimiKatz GOLD BURLAP
2020-11-23The DFIR ReportThe DFIR Report
PYSA/Mespinoza Ransomware
Empire Downloader Mespinoza
2020-11-16Intel 471Intel 471
Ransomware-as-a-service: The pandemic within a pandemic
Avaddon Clop Conti DoppelPaymer Egregor Hakbit Mailto Maze Mespinoza RagnarLocker REvil Ryuk SunCrypt ThunderX
2020-10-23HornetsecurityHornetsecurity Security Lab
Leakware-Ransomware-Hybrid Attacks
Avaddon Clop Conti DarkSide DoppelPaymer Mailto Maze Mespinoza Nefilim RagnarLocker REvil Sekhmet SunCrypt
2020-08-25KELAVictoria Kivilevich
How Ransomware Gangs Find New Monetization Schemes and Evolve in Marketing
Avaddon Clop DarkSide DoppelPaymer Mailto Maze MedusaLocker Mespinoza Nefilim RagnarLocker REvil Sekhmet
2020-03-19ZDNetCatalin Cimpanu
France warns of new ransomware gang targeting local governments
Mespinoza
2020-03-18CERT-FRCERT-FR
Rapport Menaces et Incidents du CERT-FR: Attaques par le rançongiciel Mespinoza/Pysa
Mespinoza
2019-12-14Dissecting MalwareMarius Genheimer
Another one for the collection - Mespinoza (Pysa) Ransomware
Mespinoza
2019-10-11ID RansomwareAndrew Ivanov
Mespinoza Ransomware
Mespinoza
Yara Rules
[TLP:WHITE] win_mespinoza_auto (20230808 | Detects win.mespinoza.)
rule win_mespinoza_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.mespinoza."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mespinoza"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8d4d9c e8???????? 83eb01 75e7 8b4d0c }
            // n = 5, score = 200
            //   8d4d9c               | lea                 ecx, [ebp - 0x64]
            //   e8????????           |                     
            //   83eb01               | sub                 ebx, 1
            //   75e7                 | jne                 0xffffffe9
            //   8b4d0c               | mov                 ecx, dword ptr [ebp + 0xc]

        $sequence_1 = { 897d0c c645fc01 85ff 7446 56 8bcf e8???????? }
            // n = 7, score = 200
            //   897d0c               | mov                 dword ptr [ebp + 0xc], edi
            //   c645fc01             | mov                 byte ptr [ebp - 4], 1
            //   85ff                 | test                edi, edi
            //   7446                 | je                  0x48
            //   56                   | push                esi
            //   8bcf                 | mov                 ecx, edi
            //   e8????????           |                     

        $sequence_2 = { 8b4dc4 8b7dc0 6aff 6a01 }
            // n = 4, score = 200
            //   8b4dc4               | mov                 ecx, dword ptr [ebp - 0x3c]
            //   8b7dc0               | mov                 edi, dword ptr [ebp - 0x40]
            //   6aff                 | push                -1
            //   6a01                 | push                1

        $sequence_3 = { 891f 895f04 6a01 895dfc e8???????? 59 894704 }
            // n = 7, score = 200
            //   891f                 | mov                 dword ptr [edi], ebx
            //   895f04               | mov                 dword ptr [edi + 4], ebx
            //   6a01                 | push                1
            //   895dfc               | mov                 dword ptr [ebp - 4], ebx
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   894704               | mov                 dword ptr [edi + 4], eax

        $sequence_4 = { 03c1 3bc1 7334 8bde 8bf1 2bf0 }
            // n = 6, score = 200
            //   03c1                 | add                 eax, ecx
            //   3bc1                 | cmp                 eax, ecx
            //   7334                 | jae                 0x36
            //   8bde                 | mov                 ebx, esi
            //   8bf1                 | mov                 esi, ecx
            //   2bf0                 | sub                 esi, eax

        $sequence_5 = { 75f9 2bd6 8db5f8feffff 8d5e01 8a06 46 84c0 }
            // n = 7, score = 200
            //   75f9                 | jne                 0xfffffffb
            //   2bd6                 | sub                 edx, esi
            //   8db5f8feffff         | lea                 esi, [ebp - 0x108]
            //   8d5e01               | lea                 ebx, [esi + 1]
            //   8a06                 | mov                 al, byte ptr [esi]
            //   46                   | inc                 esi
            //   84c0                 | test                al, al

        $sequence_6 = { 83e03f 6bd030 895de4 8b049d00b04700 8945d4 8955e8 8a5c1029 }
            // n = 7, score = 200
            //   83e03f               | and                 eax, 0x3f
            //   6bd030               | imul                edx, eax, 0x30
            //   895de4               | mov                 dword ptr [ebp - 0x1c], ebx
            //   8b049d00b04700       | mov                 eax, dword ptr [ebx*4 + 0x47b000]
            //   8945d4               | mov                 dword ptr [ebp - 0x2c], eax
            //   8955e8               | mov                 dword ptr [ebp - 0x18], edx
            //   8a5c1029             | mov                 bl, byte ptr [eax + edx + 0x29]

        $sequence_7 = { 8b6c240c 56 57 55 8bf9 e8???????? 8b37 }
            // n = 7, score = 200
            //   8b6c240c             | mov                 ebp, dword ptr [esp + 0xc]
            //   56                   | push                esi
            //   57                   | push                edi
            //   55                   | push                ebp
            //   8bf9                 | mov                 edi, ecx
            //   e8????????           |                     
            //   8b37                 | mov                 esi, dword ptr [edi]

        $sequence_8 = { 64a300000000 8965f0 8b7508 8b7d0c 8975ec c745fc00000000 0f1f440000 }
            // n = 7, score = 200
            //   64a300000000         | mov                 dword ptr fs:[0], eax
            //   8965f0               | mov                 dword ptr [ebp - 0x10], esp
            //   8b7508               | mov                 esi, dword ptr [ebp + 8]
            //   8b7d0c               | mov                 edi, dword ptr [ebp + 0xc]
            //   8975ec               | mov                 dword ptr [ebp - 0x14], esi
            //   c745fc00000000       | mov                 dword ptr [ebp - 4], 0
            //   0f1f440000           | nop                 dword ptr [eax + eax]

        $sequence_9 = { 8bc3 2bc2 894714 8b7508 8bce e8???????? 84c0 }
            // n = 7, score = 200
            //   8bc3                 | mov                 eax, ebx
            //   2bc2                 | sub                 eax, edx
            //   894714               | mov                 dword ptr [edi + 0x14], eax
            //   8b7508               | mov                 esi, dword ptr [ebp + 8]
            //   8bce                 | mov                 ecx, esi
            //   e8????????           |                     
            //   84c0                 | test                al, al

    condition:
        7 of them and filesize < 1091584
}
Download all Yara Rules