Mespinoza (Malware Family)

SYMBOL	COMMON_NAME	aka. SYNONYMS

win.mespinoza (Back to overview)

Mespinoza

aka: pysa

VTCollection

Mespinosa is a ransomware which encrypts file using an asymmetric encryption and adds .pysa as file extension. According to dissectingmalware the extension "pysa" is probably derived from the Zanzibari Coin with the same name.

References

2022-06-23 ⋅ Kaspersky ⋅ Danila Nasonov, Natalya Shornikova, Nikita Nazarov, Vasily Davydov, Vladislav Burtsev
The hateful eight: Kaspersky’s guide to modern ransomware groups’ TTPs (Download Form)
BlackByte BlackCat Clop Conti Hive LockBit Mespinoza RagnarLocker

2022-06-23 ⋅ Kaspersky ⋅ Danila Nasonov, Natalya Shornikova, Nikita Nazarov, Vasily Davydov, Vladislav Burtsev
The hateful eight: Kaspersky’s guide to modern ransomware groups’ TTPs
Conti Hive BlackByte BlackCat Clop LockBit Mespinoza Ragnarok

2022-04-18 ⋅ SentinelOne ⋅ James Haughom
From the Front Lines | Peering into A PYSA Ransomware Attack
Chisel Chisel Cobalt Strike Mespinoza

2022-04-14 ⋅ PRODAFT Threat Intelligence ⋅ PRODAFT
PYSA (Mespinoza) In-Depth Analysis
Mespinoza

2022-04-13 ⋅ PRODAFT Threat Intelligence ⋅ PRODAFT
[PYSA] Ransomware Group In-Depth Analysis
Mespinoza

2022-03-23 ⋅ splunk ⋅ Shannon Davis
Gone in 52 Seconds…and 42 Minutes: A Comparative Analysis of Ransomware Encryption Speed
Avaddon Babuk BlackMatter Conti DarkSide LockBit Maze Mespinoza REvil Ryuk

2022-03-16 ⋅ Symantec ⋅ Symantec Threat Hunter Team
The Ransomware Threat Landscape: What to Expect in 2022
AvosLocker BlackCat BlackMatter Conti DarkSide DoppelPaymer Emotet Hive Karma Mespinoza Nemty Squirrelwaffle VegaLocker WastedLocker Yanluowang Zeppelin

2022-02-23 ⋅ splunk ⋅ Shannon Davis, SURGe
An Empirically Comparative Analysis of Ransomware Binaries
Avaddon Babuk BlackMatter Conti DarkSide LockBit Maze Mespinoza REvil Ryuk

2022-01-06 ⋅ Health Sector Cybersecurity Coordination Center (HC3) ⋅ Health Sector Cybersecurity Coordination Center (HC3)
Mespinoza/GoldBurlap/CYBORG SPIDER
Mespinoza GOLD BURLAP

2021-11-29 ⋅ cyble ⋅ Cyble
Pysa Ransomware Under the Lens: A Deep-Dive Analysis
Mespinoza

2021-11-05 ⋅ Twitter (@inversecos) ⋅ inversecos
TTPs used by Pysa Ransonmware group
Mespinoza MimiKatz

2021-09-27 ⋅ Cybereason ⋅ Aleksandar Milenkoski
Threat Analysis Report: Inside the Destructive PYSA Ransomware
Mespinoza

2021-09-09 ⋅ Lacework Labs ⋅ Lacework Labs
PYSA Ransomware Gang adds Linux Support
Mespinoza

2021-08-24 ⋅ Bleeping Computer ⋅ Lawrence Abrams
Ransomware gang's script shows exactly the files they're after
Mespinoza

2021-07-15 ⋅ Palo Alto Networks Unit 42 ⋅ Alex Hinchliffe, Quinn Cooke, Robert Falcone
Mespinoza Ransomware Gang Calls Victims “Partners,” Attacks with Gasket, "MagicSocks" Tools
Gasket Mespinoza

2021-06-23 ⋅ Blackberry ⋅ BlackBerry Research and Intelligence team
PYSA Loves ChaChi: a New GoLang RAT
ChaChi Mespinoza

2021-05-10 ⋅ DarkTracer ⋅ DarkTracer
Intelligence Report on Ransomware Gangs on the DarkWeb: List of victim organizations attacked by ransomware gangs released on the DarkWeb
RansomEXX Avaddon Babuk Clop Conti Cuba DarkSide DoppelPaymer Egregor Hades LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker Nefilim Nemty Pay2Key PwndLocker RagnarLocker Ragnarok RansomEXX REvil Sekhmet SunCrypt ThunderX

2021-05-06 ⋅ Cyborg Security ⋅ Brandon Denker
Ransomware: Hunting for Inhibiting System Backup or Recovery
Avaddon Conti DarkSide LockBit Mailto Maze Mespinoza Nemty PwndLocker RagnarLocker RansomEXX REvil Ryuk Snatch ThunderX

2021-04-25 ⋅ Vulnerability.ch Blog ⋅ Corsin Camichel
Ransomware and Data Leak Site Publication Time Analysis
Avaddon Babuk Clop Conti DarkSide DoppelPaymer Mespinoza Nefilim REvil

2021-03-16 ⋅ FBI ⋅ FBI
Alert Number CP-000142-MW: Increase in PYSA Ransomware Targeting Education Institutions
Mespinoza

2021-02-23 ⋅ CrowdStrike ⋅ CrowdStrike
2021 Global Threat Report
RansomEXX Amadey Anchor Avaddon BazarBackdoor Clop Cobalt Strike Conti Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet ShadowPad SmokeLoader Snake SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader Evilnum OUTLAW SPIDER RIDDLE SPIDER SOLAR SPIDER VIKING SPIDER

2021-01-07 ⋅ Twitter (@campuscodi) ⋅ Catalin Cimpanu
Tweet on London's Hackney Council attacked by Pysa/Mespinoza ransomware
Mespinoza

2021-01-01 ⋅ Secureworks ⋅ SecureWorks
Threat Profile: GOLD BURLAP
Empire Downloader Mespinoza MimiKatz GOLD BURLAP

2020-11-23 ⋅ The DFIR Report ⋅ The DFIR Report
PYSA/Mespinoza Ransomware
Empire Downloader Mespinoza

2020-11-16 ⋅ Intel 471 ⋅ Intel 471
Ransomware-as-a-service: The pandemic within a pandemic
Avaddon Clop Conti DoppelPaymer Egregor Hakbit Mailto Maze Mespinoza RagnarLocker REvil Ryuk SunCrypt ThunderX

2020-10-23 ⋅ Hornetsecurity ⋅ Hornetsecurity Security Lab
Leakware-Ransomware-Hybrid Attacks
Avaddon Clop Conti DarkSide DoppelPaymer Mailto Maze Mespinoza Nefilim RagnarLocker REvil Sekhmet SunCrypt

2020-08-25 ⋅ KELA ⋅ Victoria Kivilevich
How Ransomware Gangs Find New Monetization Schemes and Evolve in Marketing
Avaddon Clop DarkSide DoppelPaymer Mailto Maze MedusaLocker Mespinoza Nefilim RagnarLocker REvil Sekhmet

2020-03-31 ⋅ ANSSI ⋅ ANSSI
ATTACKS INVOLVING THE MESPINOZA/PYSA RANSOMWARE
Mespinoza

2020-03-19 ⋅ ZDNet ⋅ Catalin Cimpanu
France warns of new ransomware gang targeting local governments
Mespinoza

2020-03-18 ⋅ ⋅ ANSSI ⋅ ANSSI
ATTACKS INVOLVING THE MESPINOZA/PYSA RANSOMWARE
Mespinoza

2020-03-18 ⋅ ⋅ CERT-FR ⋅ CERT-FR
Rapport Menaces et Incidents du CERT-FR: Attaques par le rançongiciel Mespinoza/Pysa
Mespinoza

2019-12-14 ⋅ Dissecting Malware ⋅ Marius Genheimer
Another one for the collection - Mespinoza (Pysa) Ransomware
Mespinoza

2019-10-11 ⋅ ID Ransomware ⋅ Andrew Ivanov
Mespinoza Ransomware
Mespinoza

Yara Rules

[TLP:WHITE] win_mespinoza_auto (20260504 | Detects win.mespinoza.)

rule win_mespinoza_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.mespinoza."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mespinoza"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 6a00 53 e8???????? 83c40c eb02 33db 8bfe }
            // n = 7, score = 200
            //   6a00                 | push                0
            //   53                   | push                ebx
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   eb02                 | jmp                 4
            //   33db                 | xor                 ebx, ebx
            //   8bfe                 | mov                 edi, esi

        $sequence_1 = { 837d1400 c745fc02000000 741e 57 53 8d4dd0 e8???????? }
            // n = 7, score = 200
            //   837d1400             | cmp                 dword ptr [ebp + 0x14], 0
            //   c745fc02000000       | mov                 dword ptr [ebp - 4], 2
            //   741e                 | je                  0x20
            //   57                   | push                edi
            //   53                   | push                ebx
            //   8d4dd0               | lea                 ecx, [ebp - 0x30]
            //   e8????????           |                     

        $sequence_2 = { 663906 752e 8d5602 663902 7526 8bce 8d5902 }
            // n = 7, score = 200
            //   663906               | cmp                 word ptr [esi], ax
            //   752e                 | jne                 0x30
            //   8d5602               | lea                 edx, [esi + 2]
            //   663902               | cmp                 word ptr [edx], ax
            //   7526                 | jne                 0x28
            //   8bce                 | mov                 ecx, esi
            //   8d5902               | lea                 ebx, [ecx + 2]

        $sequence_3 = { 8bd9 895de8 8b8504010000 8bb50c010000 8945ec 8b8508010000 8945dc }
            // n = 7, score = 200
            //   8bd9                 | mov                 ebx, ecx
            //   895de8               | mov                 dword ptr [ebp - 0x18], ebx
            //   8b8504010000         | mov                 eax, dword ptr [ebp + 0x104]
            //   8bb50c010000         | mov                 esi, dword ptr [ebp + 0x10c]
            //   8945ec               | mov                 dword ptr [ebp - 0x14], eax
            //   8b8508010000         | mov                 eax, dword ptr [ebp + 0x108]
            //   8945dc               | mov                 dword ptr [ebp - 0x24], eax

        $sequence_4 = { 1bc0 83c801 85c9 742a 85c0 7426 ff750c }
            // n = 7, score = 200
            //   1bc0                 | sbb                 eax, eax
            //   83c801               | or                  eax, 1
            //   85c9                 | test                ecx, ecx
            //   742a                 | je                  0x2c
            //   85c0                 | test                eax, eax
            //   7426                 | je                  0x28
            //   ff750c               | push                dword ptr [ebp + 0xc]

        $sequence_5 = { 8ad9 eb02 32db 8b45e4 }
            // n = 4, score = 200
            //   8ad9                 | mov                 bl, cl
            //   eb02                 | jmp                 4
            //   32db                 | xor                 bl, bl
            //   8b45e4               | mov                 eax, dword ptr [ebp - 0x1c]

        $sequence_6 = { 8d8d78ffffff e8???????? ff7564 8d4500 c745fc00000000 50 8d8d78ffffff }
            // n = 7, score = 200
            //   8d8d78ffffff         | lea                 ecx, [ebp - 0x88]
            //   e8????????           |                     
            //   ff7564               | push                dword ptr [ebp + 0x64]
            //   8d4500               | lea                 eax, [ebp]
            //   c745fc00000000       | mov                 dword ptr [ebp - 4], 0
            //   50                   | push                eax
            //   8d8d78ffffff         | lea                 ecx, [ebp - 0x88]

        $sequence_7 = { 8bcb 89759c 8b33 8955a4 8945a0 ff5608 }
            // n = 6, score = 200
            //   8bcb                 | mov                 ecx, ebx
            //   89759c               | mov                 dword ptr [ebp - 0x64], esi
            //   8b33                 | mov                 esi, dword ptr [ebx]
            //   8955a4               | mov                 dword ptr [ebp - 0x5c], edx
            //   8945a0               | mov                 dword ptr [ebp - 0x60], eax
            //   ff5608               | call                dword ptr [esi + 8]

        $sequence_8 = { 57 83e801 7422 8b442420 52 51 50 }
            // n = 7, score = 200
            //   57                   | push                edi
            //   83e801               | sub                 eax, 1
            //   7422                 | je                  0x24
            //   8b442420             | mov                 eax, dword ptr [esp + 0x20]
            //   52                   | push                edx
            //   51                   | push                ecx
            //   50                   | push                eax

        $sequence_9 = { 7427 e8???????? 8b4d14 8d45ec 6a01 50 e8???????? }
            // n = 7, score = 200
            //   7427                 | je                  0x29
            //   e8????????           |                     
            //   8b4d14               | mov                 ecx, dword ptr [ebp + 0x14]
            //   8d45ec               | lea                 eax, [ebp - 0x14]
            //   6a01                 | push                1
            //   50                   | push                eax
            //   e8????????           |                     

    condition:
        7 of them and filesize < 1091584
}

Download all Yara Rules

Mespinoza Propose Change

References

Yara Rules

Mespinoza