SYMBOLCOMMON_NAMEaka. SYNONYMS
win.mespinoza (Back to overview)

Mespinoza

aka: pysa

Mespinosa is a ransomware which encrypts file using an asymmetric encryption and adds .pysa as file extension. According to dissectingmalware the extension "pysa" is probably derived from the Zanzibari Coin with the same name.

References
2021-09-09Lacework LabsLacework Labs
@online{labs:20210909:pysa:3115858, author = {Lacework Labs}, title = {{PYSA Ransomware Gang adds Linux Support}}, date = {2021-09-09}, organization = {Lacework Labs}, url = {https://www.lacework.com/blog/pysa-ransomware-gang-adds-linux-support/}, language = {English}, urldate = {2021-09-10} } PYSA Ransomware Gang adds Linux Support
Mespinoza
2021-07-15Palo Alto Networks Unit 42Robert Falcone, Alex Hinchliffe, Quinn Cooke
@online{falcone:20210715:mespinoza:cabb0ab, author = {Robert Falcone and Alex Hinchliffe and Quinn Cooke}, title = {{Mespinoza Ransomware Gang Calls Victims “Partners,” Attacks with Gasket, "MagicSocks" Tools}}, date = {2021-07-15}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/gasket-and-magicsocks-tools-install-mespinoza-ransomware/}, language = {English}, urldate = {2021-07-20} } Mespinoza Ransomware Gang Calls Victims “Partners,” Attacks with Gasket, "MagicSocks" Tools
Gasket Mespinoza
2021-06-23BlackberryBlackBerry Research and Intelligence team
@online{team:20210623:pysa:ab64a25, author = {BlackBerry Research and Intelligence team}, title = {{PYSA Loves ChaChi: a New GoLang RAT}}, date = {2021-06-23}, organization = {Blackberry}, url = {https://blogs.blackberry.com/en/2021/06/pysa-loves-chachi-a-new-golang-rat}, language = {English}, urldate = {2021-06-24} } PYSA Loves ChaChi: a New GoLang RAT
Mespinoza
2021-05-10DarkTracerDarkTracer
@online{darktracer:20210510:intelligence:b9d1c3f, author = {DarkTracer}, title = {{Intelligence Report on Ransomware Gangs on the DarkWeb: List of victim organizations attacked by ransomware gangs released on the DarkWeb}}, date = {2021-05-10}, organization = {DarkTracer}, url = {https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3}, language = {English}, urldate = {2021-05-13} } Intelligence Report on Ransomware Gangs on the DarkWeb: List of victim organizations attacked by ransomware gangs released on the DarkWeb
RansomEXX Avaddon Babuk Clop Conti Cuba DarkSide DoppelPaymer Egregor Hades LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker Nefilim Nemty Pay2Key PwndLocker RagnarLocker Ragnarok RansomEXX REvil Sekhmet SunCrypt ThunderX
2021-05-06Cyborg SecurityBrandon Denker
@online{denker:20210506:ransomware:a1f31df, author = {Brandon Denker}, title = {{Ransomware: Hunting for Inhibiting System Backup or Recovery}}, date = {2021-05-06}, organization = {Cyborg Security}, url = {https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/}, language = {English}, urldate = {2021-05-08} } Ransomware: Hunting for Inhibiting System Backup or Recovery
Avaddon Conti DarkSide LockBit Mailto Maze Mespinoza Nemty PwndLocker RagnarLocker RansomEXX REvil Ryuk Snatch ThunderX
2021-04-25Vulnerability.ch BlogCorsin Camichel
@online{camichel:20210425:ransomware:1a1ee7f, author = {Corsin Camichel}, title = {{Ransomware and Data Leak Site Publication Time Analysis}}, date = {2021-04-25}, organization = {Vulnerability.ch Blog}, url = {https://vulnerability.ch/2021/04/ransomware-and-date-leak-site-publication-time-analysis/}, language = {English}, urldate = {2021-04-29} } Ransomware and Data Leak Site Publication Time Analysis
Avaddon Babuk Clop Conti DarkSide DoppelPaymer Mespinoza Nefilim REvil
2021-03-16FBIFBI
@techreport{fbi:20210316:alert:69b1a21, author = {FBI}, title = {{Alert Number CP-000142-MW: Increase in PYSA Ransomware Targeting Education Institutions}}, date = {2021-03-16}, institution = {FBI}, url = {https://www.ic3.gov/Media/News/2021/210316.pdf}, language = {English}, urldate = {2021-03-22} } Alert Number CP-000142-MW: Increase in PYSA Ransomware Targeting Education Institutions
Mespinoza
2021-02-23CrowdStrikeCrowdStrike
@techreport{crowdstrike:20210223:2021:bf5bc4f, author = {CrowdStrike}, title = {{2021 Global Threat Report}}, date = {2021-02-23}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf}, language = {English}, urldate = {2021-02-25} } 2021 Global Threat Report
RansomEXX Amadey Anchor Avaddon BazarBackdoor Clop Cobalt Strike Conti Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet ShadowPad SmokeLoader Snake SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader KNOCKOUT SPIDER OUTLAW SPIDER RIDDLE SPIDER SOLAR SPIDER VIKING SPIDER
2021-01-07Twitter (@campuscodi)Catalin Cimpanu
@online{cimpanu:20210107:londons:3d62f93, author = {Catalin Cimpanu}, title = {{Tweet on London's Hackney Council attacked by Pysa/Mespinoza ransomware}}, date = {2021-01-07}, organization = {Twitter (@campuscodi)}, url = {https://twitter.com/campuscodi/status/1347223969984897026}, language = {English}, urldate = {2021-01-11} } Tweet on London's Hackney Council attacked by Pysa/Mespinoza ransomware
Mespinoza
2021SecureworksSecureWorks
@online{secureworks:2021:threat:d17547d, author = {SecureWorks}, title = {{Threat Profile: GOLD BURLAP}}, date = {2021}, organization = {Secureworks}, url = {http://www.secureworks.com/research/threat-profiles/gold-burlap}, language = {English}, urldate = {2021-05-31} } Threat Profile: GOLD BURLAP
Empire Downloader Mespinoza MimiKatz GOLD BURLAP
2020-11-23The DFIR ReportThe DFIR Report
@online{report:20201123:pysamespinoza:f0f2544, author = {The DFIR Report}, title = {{PYSA/Mespinoza Ransomware}}, date = {2020-11-23}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/}, language = {English}, urldate = {2021-01-21} } PYSA/Mespinoza Ransomware
Empire Downloader Mespinoza
2020-11-16Intel 471Intel 471
@online{471:20201116:ransomwareasaservice:11a5a8b, author = {Intel 471}, title = {{Ransomware-as-a-service: The pandemic within a pandemic}}, date = {2020-11-16}, organization = {Intel 471}, url = {https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/}, language = {English}, urldate = {2020-11-17} } Ransomware-as-a-service: The pandemic within a pandemic
Avaddon Clop Conti DoppelPaymer Egregor Hakbit Mailto Maze Mespinoza RagnarLocker REvil Ryuk SunCrypt ThunderX
2020-10-23HornetsecurityHornetsecurity Security Lab
@online{lab:20201023:leakwareransomwarehybrid:ae1de8e, author = {Hornetsecurity Security Lab}, title = {{Leakware-Ransomware-Hybrid Attacks}}, date = {2020-10-23}, organization = {Hornetsecurity}, url = {https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/}, language = {English}, urldate = {2020-12-08} } Leakware-Ransomware-Hybrid Attacks
Avaddon Clop Conti DarkSide DoppelPaymer Mailto Maze Mespinoza Nefilim RagnarLocker REvil Sekhmet SunCrypt
2020-08-25KELAVictoria Kivilevich
@online{kivilevich:20200825:how:5db6a82, author = {Victoria Kivilevich}, title = {{How Ransomware Gangs Find New Monetization Schemes and Evolve in Marketing}}, date = {2020-08-25}, organization = {KELA}, url = {https://ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/}, language = {English}, urldate = {2021-05-07} } How Ransomware Gangs Find New Monetization Schemes and Evolve in Marketing
Avaddon Clop DarkSide DoppelPaymer Mailto Maze MedusaLocker Mespinoza Nefilim RagnarLocker REvil Sekhmet
2020-03-19ZDNetCatalin Cimpanu
@online{cimpanu:20200319:france:9882b07, author = {Catalin Cimpanu}, title = {{France warns of new ransomware gang targeting local governments}}, date = {2020-03-19}, organization = {ZDNet}, url = {https://www.zdnet.com/article/france-warns-of-new-ransomware-gang-targeting-local-governments/}, language = {English}, urldate = {2020-03-26} } France warns of new ransomware gang targeting local governments
Mespinoza
2020-03-18CERT-FRCERT-FR
@online{certfr:20200318:rapport:abbc7c4, author = {CERT-FR}, title = {{Rapport Menaces et Incidents du CERT-FR: Attaques par le rançongiciel Mespinoza/Pysa}}, date = {2020-03-18}, organization = {CERT-FR}, url = {https://www.cert.ssi.gouv.fr/cti/CERTFR-2020-CTI-002/}, language = {French}, urldate = {2020-03-26} } Rapport Menaces et Incidents du CERT-FR: Attaques par le rançongiciel Mespinoza/Pysa
Mespinoza
2019-12-14Dissecting MalwareMarius Genheimer
@online{genheimer:20191214:another:7c9c60a, author = {Marius Genheimer}, title = {{Another one for the collection - Mespinoza (Pysa) Ransomware}}, date = {2019-12-14}, organization = {Dissecting Malware}, url = {https://dissectingmalwa.re/another-one-for-the-collection-mespinoza-pysa-ransomware.html}, language = {English}, urldate = {2020-01-26} } Another one for the collection - Mespinoza (Pysa) Ransomware
Mespinoza
2019-10-11ID RansomwareAndrew Ivanov
@online{ivanov:20191011:mespinoza:e9cd17e, author = {Andrew Ivanov}, title = {{Mespinoza Ransomware}}, date = {2019-10-11}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2019/10/mespinoza-ransomware.html}, language = {English}, urldate = {2020-03-26} } Mespinoza Ransomware
Mespinoza
Yara Rules
[TLP:WHITE] win_mespinoza_auto (20210616 | Detects win.mespinoza.)
rule win_mespinoza_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-06-10"
        version = "1"
        description = "Detects win.mespinoza."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.mespinoza"
        malpedia_rule_date = "20210604"
        malpedia_hash = "be09d5d71e77373c0f538068be31a2ad4c69cfbd"
        malpedia_version = "20210616"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { c7470400000000 c7470800000000 83c70c 3bfd 0f8576ffffff 5e 5b }
            // n = 7, score = 200
            //   c7470400000000       | mov                 dword ptr [edi + 4], 0
            //   c7470800000000       | mov                 dword ptr [edi + 8], 0
            //   83c70c               | add                 edi, 0xc
            //   3bfd                 | cmp                 edi, ebp
            //   0f8576ffffff         | jne                 0xffffff7c
            //   5e                   | pop                 esi
            //   5b                   | pop                 ebx

        $sequence_1 = { b9???????? 8975fc 8bb5a4efffff 57 56 e8???????? 6a10 }
            // n = 7, score = 200
            //   b9????????           |                     
            //   8975fc               | mov                 dword ptr [ebp - 4], esi
            //   8bb5a4efffff         | mov                 esi, dword ptr [ebp - 0x105c]
            //   57                   | push                edi
            //   56                   | push                esi
            //   e8????????           |                     
            //   6a10                 | push                0x10

        $sequence_2 = { 8bf1 3bf7 7428 ff7708 e8???????? 837e0c00 741a }
            // n = 7, score = 200
            //   8bf1                 | mov                 esi, ecx
            //   3bf7                 | cmp                 esi, edi
            //   7428                 | je                  0x2a
            //   ff7708               | push                dword ptr [edi + 8]
            //   e8????????           |                     
            //   837e0c00             | cmp                 dword ptr [esi + 0xc], 0
            //   741a                 | je                  0x1c

        $sequence_3 = { 8bc5 0a542410 eb04 8b442424 }
            // n = 4, score = 200
            //   8bc5                 | mov                 eax, ebp
            //   0a542410             | or                  dl, byte ptr [esp + 0x10]
            //   eb04                 | jmp                 6
            //   8b442424             | mov                 eax, dword ptr [esp + 0x24]

        $sequence_4 = { c3 b8???????? c3 57 8b790c 8d413c 3907 }
            // n = 7, score = 200
            //   c3                   | ret                 
            //   b8????????           |                     
            //   c3                   | ret                 
            //   57                   | push                edi
            //   8b790c               | mov                 edi, dword ptr [ecx + 0xc]
            //   8d413c               | lea                 eax, dword ptr [ecx + 0x3c]
            //   3907                 | cmp                 dword ptr [edi], eax

        $sequence_5 = { 83791800 8d510c c7454800000000 0f8659010000 8b4210 8a00 2401 }
            // n = 7, score = 200
            //   83791800             | cmp                 dword ptr [ecx + 0x18], 0
            //   8d510c               | lea                 edx, dword ptr [ecx + 0xc]
            //   c7454800000000       | mov                 dword ptr [ebp + 0x48], 0
            //   0f8659010000         | jbe                 0x15f
            //   8b4210               | mov                 eax, dword ptr [edx + 0x10]
            //   8a00                 | mov                 al, byte ptr [eax]
            //   2401                 | and                 al, 1

        $sequence_6 = { 50 8d45f4 64a300000000 8bf1 8b4d0c c745f000000000 8b4618 }
            // n = 7, score = 200
            //   50                   | push                eax
            //   8d45f4               | lea                 eax, dword ptr [ebp - 0xc]
            //   64a300000000         | mov                 dword ptr fs:[0], eax
            //   8bf1                 | mov                 esi, ecx
            //   8b4d0c               | mov                 ecx, dword ptr [ebp + 0xc]
            //   c745f000000000       | mov                 dword ptr [ebp - 0x10], 0
            //   8b4618               | mov                 eax, dword ptr [esi + 0x18]

        $sequence_7 = { 720b 8b7124 8bd0 eb04 8b542410 ff74241c 8b4914 }
            // n = 7, score = 200
            //   720b                 | jb                  0xd
            //   8b7124               | mov                 esi, dword ptr [ecx + 0x24]
            //   8bd0                 | mov                 edx, eax
            //   eb04                 | jmp                 6
            //   8b542410             | mov                 edx, dword ptr [esp + 0x10]
            //   ff74241c             | push                dword ptr [esp + 0x1c]
            //   8b4914               | mov                 ecx, dword ptr [ecx + 0x14]

        $sequence_8 = { 33c8 8bc6 c1e80a 33c8 8b442470 }
            // n = 5, score = 200
            //   33c8                 | xor                 ecx, eax
            //   8bc6                 | mov                 eax, esi
            //   c1e80a               | shr                 eax, 0xa
            //   33c8                 | xor                 ecx, eax
            //   8b442470             | mov                 eax, dword ptr [esp + 0x70]

        $sequence_9 = { 8b7508 ff501c 3bf0 0f86d1000000 6a0a 8d45b0 56 }
            // n = 7, score = 200
            //   8b7508               | mov                 esi, dword ptr [ebp + 8]
            //   ff501c               | call                dword ptr [eax + 0x1c]
            //   3bf0                 | cmp                 esi, eax
            //   0f86d1000000         | jbe                 0xd7
            //   6a0a                 | push                0xa
            //   8d45b0               | lea                 eax, dword ptr [ebp - 0x50]
            //   56                   | push                esi

    condition:
        7 of them and filesize < 1091584
}
Download all Yara Rules