SYMBOLCOMMON_NAMEaka. SYNONYMS
win.mespinoza (Back to overview)

Mespinoza

aka: pysa

Mespinosa is a ransomware which encrypts file using an asymmetric encryption and adds .pysa as file extension. According to dissectingmalware the extension "pysa" is probably derived from the Zanzibari Coin with the same name.

References
2021-03-16FBIFBI
@techreport{fbi:20210316:alert:69b1a21, author = {FBI}, title = {{Alert Number CP-000142-MW: Increase in PYSA Ransomware Targeting Education Institutions}}, date = {2021-03-16}, institution = {FBI}, url = {https://www.ic3.gov/Media/News/2021/210316.pdf}, language = {English}, urldate = {2021-03-22} } Alert Number CP-000142-MW: Increase in PYSA Ransomware Targeting Education Institutions
Mespinoza
2021-02-23CrowdStrikeCrowdStrike
@techreport{crowdstrike:20210223:2021:bf5bc4f, author = {CrowdStrike}, title = {{2021 Global Threat Report}}, date = {2021-02-23}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf}, language = {English}, urldate = {2021-02-25} } 2021 Global Threat Report
RansomEXX Amadey Anchor Avaddon Ransomware BazarBackdoor Clop Cobalt Strike Conti Ransomware Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet Ransomware ShadowPad SmokeLoader Snake Ransomware SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader
2021-01-07Twitter (@campuscodi)Catalin Cimpanu
@online{cimpanu:20210107:londons:3d62f93, author = {Catalin Cimpanu}, title = {{Tweet on London's Hackney Council attacked by Pysa/Mespinoza ransomware}}, date = {2021-01-07}, organization = {Twitter (@campuscodi)}, url = {https://twitter.com/campuscodi/status/1347223969984897026}, language = {English}, urldate = {2021-01-11} } Tweet on London's Hackney Council attacked by Pysa/Mespinoza ransomware
Mespinoza
2020-11-23The DFIR ReportThe DFIR Report
@online{report:20201123:pysamespinoza:f0f2544, author = {The DFIR Report}, title = {{PYSA/Mespinoza Ransomware}}, date = {2020-11-23}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/}, language = {English}, urldate = {2021-01-21} } PYSA/Mespinoza Ransomware
Empire Downloader Mespinoza
2020-11-16Intel 471Intel 471
@online{471:20201116:ransomwareasaservice:11a5a8b, author = {Intel 471}, title = {{Ransomware-as-a-service: The pandemic within a pandemic}}, date = {2020-11-16}, organization = {Intel 471}, url = {https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/}, language = {English}, urldate = {2020-11-17} } Ransomware-as-a-service: The pandemic within a pandemic
Avaddon Ransomware Clop Conti Ransomware DoppelPaymer Egregor Hakbit Mailto Maze Mespinoza RagnarLocker REvil Ryuk SunCrypt ThunderX Ransomware
2020-10-23HornetsecurityHornetsecurity Security Lab
@online{lab:20201023:leakwareransomwarehybrid:ae1de8e, author = {Hornetsecurity Security Lab}, title = {{Leakware-Ransomware-Hybrid Attacks}}, date = {2020-10-23}, organization = {Hornetsecurity}, url = {https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/}, language = {English}, urldate = {2020-12-08} } Leakware-Ransomware-Hybrid Attacks
Avaddon Ransomware Clop Conti Ransomware DarkSide DoppelPaymer Mailto Maze Mespinoza Nefilim Ransomware RagnarLocker REvil Sekhmet Ransomware SunCrypt
2020-03-19ZDNetCatalin Cimpanu
@online{cimpanu:20200319:france:9882b07, author = {Catalin Cimpanu}, title = {{France warns of new ransomware gang targeting local governments}}, date = {2020-03-19}, organization = {ZDNet}, url = {https://www.zdnet.com/article/france-warns-of-new-ransomware-gang-targeting-local-governments/}, language = {English}, urldate = {2020-03-26} } France warns of new ransomware gang targeting local governments
Mespinoza
2020-03-18CERT-FRCERT-FR
@online{certfr:20200318:rapport:abbc7c4, author = {CERT-FR}, title = {{Rapport Menaces et Incidents du CERT-FR: Attaques par le rançongiciel Mespinoza/Pysa}}, date = {2020-03-18}, organization = {CERT-FR}, url = {https://www.cert.ssi.gouv.fr/cti/CERTFR-2020-CTI-002/}, language = {French}, urldate = {2020-03-26} } Rapport Menaces et Incidents du CERT-FR: Attaques par le rançongiciel Mespinoza/Pysa
Mespinoza
2019-12-14Dissecting MalwareMarius Genheimer
@online{genheimer:20191214:another:7c9c60a, author = {Marius Genheimer}, title = {{Another one for the collection - Mespinoza (Pysa) Ransomware}}, date = {2019-12-14}, organization = {Dissecting Malware}, url = {https://dissectingmalwa.re/another-one-for-the-collection-mespinoza-pysa-ransomware.html}, language = {English}, urldate = {2020-01-26} } Another one for the collection - Mespinoza (Pysa) Ransomware
Mespinoza
2019-10-11ID RansomwareAndrew Ivanov
@online{ivanov:20191011:mespinoza:e9cd17e, author = {Andrew Ivanov}, title = {{Mespinoza Ransomware}}, date = {2019-10-11}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2019/10/mespinoza-ransomware.html}, language = {English}, urldate = {2020-03-26} } Mespinoza Ransomware
Mespinoza
Yara Rules
[TLP:WHITE] win_mespinoza_auto (20201023 | autogenerated rule brought to you by yara-signator)
rule win_mespinoza_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-12-22"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mespinoza"
        malpedia_rule_date = "20201222"
        malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130"
        malpedia_version = "20201023"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 2bc2 50 e8???????? 8b5704 8bc6 8bca 2b0f }
            // n = 7, score = 200
            //   2bc2                 | sub                 eax, edx
            //   50                   | push                eax
            //   e8????????           |                     
            //   8b5704               | mov                 edx, dword ptr [edi + 4]
            //   8bc6                 | mov                 eax, esi
            //   8bca                 | mov                 ecx, edx
            //   2b0f                 | sub                 ecx, dword ptr [edi]

        $sequence_1 = { 50 e8???????? 83650c00 8bce 57 }
            // n = 5, score = 200
            //   50                   | push                eax
            //   e8????????           |                     
            //   83650c00             | and                 dword ptr [ebp + 0xc], 0
            //   8bce                 | mov                 ecx, esi
            //   57                   | push                edi

        $sequence_2 = { 8bcb ff7560 ff5718 50 8bcb ff570c 8b4d60 }
            // n = 7, score = 200
            //   8bcb                 | mov                 ecx, ebx
            //   ff7560               | push                dword ptr [ebp + 0x60]
            //   ff5718               | call                dword ptr [edi + 0x18]
            //   50                   | push                eax
            //   8bcb                 | mov                 ecx, ebx
            //   ff570c               | call                dword ptr [edi + 0xc]
            //   8b4d60               | mov                 ecx, dword ptr [ebp + 0x60]

        $sequence_3 = { 0f8620010000 8bbdc4ebffff 85c9 0f88f5000000 8bc1 99 8985c4ebffff }
            // n = 7, score = 200
            //   0f8620010000         | jbe                 0x126
            //   8bbdc4ebffff         | mov                 edi, dword ptr [ebp - 0x143c]
            //   85c9                 | test                ecx, ecx
            //   0f88f5000000         | js                  0xfb
            //   8bc1                 | mov                 eax, ecx
            //   99                   | cdq                 
            //   8985c4ebffff         | mov                 dword ptr [ebp - 0x143c], eax

        $sequence_4 = { 53 6a00 57 e8???????? 83c40c 8b4dd8 8b45e8 }
            // n = 7, score = 200
            //   53                   | push                ebx
            //   6a00                 | push                0
            //   57                   | push                edi
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   8b4dd8               | mov                 ecx, dword ptr [ebp - 0x28]
            //   8b45e8               | mov                 eax, dword ptr [ebp - 0x18]

        $sequence_5 = { 8d9adcbc1b8f 3344243c 03d9 33442430 8bce 33442420 }
            // n = 6, score = 200
            //   8d9adcbc1b8f         | lea                 ebx, [edx - 0x70e44324]
            //   3344243c             | xor                 eax, dword ptr [esp + 0x3c]
            //   03d9                 | add                 ebx, ecx
            //   33442430             | xor                 eax, dword ptr [esp + 0x30]
            //   8bce                 | mov                 ecx, esi
            //   33442420             | xor                 eax, dword ptr [esp + 0x20]

        $sequence_6 = { e8???????? 8bf8 83c410 89bd64ffffff c645fc02 85ff }
            // n = 6, score = 200
            //   e8????????           |                     
            //   8bf8                 | mov                 edi, eax
            //   83c410               | add                 esp, 0x10
            //   89bd64ffffff         | mov                 dword ptr [ebp - 0x9c], edi
            //   c645fc02             | mov                 byte ptr [ebp - 4], 2
            //   85ff                 | test                edi, edi

        $sequence_7 = { 3ad2 7506 c6414101 8bd1 895150 8bc1 5d }
            // n = 7, score = 200
            //   3ad2                 | cmp                 dl, dl
            //   7506                 | jne                 8
            //   c6414101             | mov                 byte ptr [ecx + 0x41], 1
            //   8bd1                 | mov                 edx, ecx
            //   895150               | mov                 dword ptr [ecx + 0x50], edx
            //   8bc1                 | mov                 eax, ecx
            //   5d                   | pop                 ebp

        $sequence_8 = { e8???????? 8b0cb500b04700 83c410 8985f4efffff 8bc2 8b95f4efffff }
            // n = 6, score = 200
            //   e8????????           |                     
            //   8b0cb500b04700       | mov                 ecx, dword ptr [esi*4 + 0x47b000]
            //   83c410               | add                 esp, 0x10
            //   8985f4efffff         | mov                 dword ptr [ebp - 0x100c], eax
            //   8bc2                 | mov                 eax, edx
            //   8b95f4efffff         | mov                 edx, dword ptr [ebp - 0x100c]

        $sequence_9 = { 8b4c3154 f3aa e8???????? 83c404 8d4e24 e8???????? 8b4e0c }
            // n = 7, score = 200
            //   8b4c3154             | mov                 ecx, dword ptr [ecx + esi + 0x54]
            //   f3aa                 | rep stosb           byte ptr es:[edi], al
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   8d4e24               | lea                 ecx, [esi + 0x24]
            //   e8????????           |                     
            //   8b4e0c               | mov                 ecx, dword ptr [esi + 0xc]

    condition:
        7 of them and filesize < 1091584
}
Download all Yara Rules