Critical infrastructure
Medical
News
Threat Landscape
Vulnerabilities

Mespinoza group said to use Pysa ransomware to actively target healthcare organizations

January 11, 2022
Pysa ransomware

The U.S. Department of Health & Human Services’ Health Sector Cybersecurity Coordination Center (HC3) warned the healthcare and public health sector organizations of the ‘Mespinoza’ cybercriminal group, which is also known as Gold Burlap and Cyborg Spider. The group is said to operate Pysa ransomware, among other cyber weapons, and has been active since 2018, with a history of targeting many industries, including healthcare, and continues to develop its capabilities and increase targeting frequency.

Many of the fundamental operational aspects of the Mespinoza group or Pysa ransomware variant are not significantly different than other similar cybercriminal groups or ransomware, the HC3 said in its advisory

The Mespinoza “is a financially-motivated cybercriminal group initially observed engaging in cyberattacks in October 2018. They developed and operated their own ransomware variant (PYSA), which after undergoing several updates, began encrypting victim files with the .pysa extension in December 2019. They also regularly use a number of other tools including ADRecon, Advanced Port Scanner, DNSGo RAT, Mimikatz, PEASS and PowerShell Empire,” according to the HC3 guidance.

By the end of 2020, cybercrime intelligence firm Intel471 considered them to be a ‘rising power’ and as of November last year, they are known to have accumulated at least 190 global victims via ransomware attacks alone, it added. 

Pysa is cross-platform ransomware and versions are developed in both the C++ and Python languages, according to the HC3. Mespinoza operates a leak site called, ‘Pysa’s Partners,’ which it uses to leverage name and shame tactics to apply additional pressure to compel victims to pay ransoms. Mespinoza is not known to operate as ransomware as a service (RaaS). 

The top five countries targeted by the Pysa ransomware are the U.S., U.K., Canada, Spain, and Brazil, HC3 said.

The HC3 advisory said that the Pysa ransomware often follows a standard execution flow that begins by creating a mutual exclusion object (mutex), which it does for the same reason legitimate applications do – to ensure two processes or threads don’t attempt to write to the same memory space simultaneously. It then goes on to begin its basic reconnaissance functions by enumerating the drives on the victim system by leveraging the application programming interfaces. Once it identifies drives, it compares them to a whitelist and then begins to identify individual files for encryption, which it encrypts via Advanced Encryption Standard 256 with the extension .pysa, hence the ransomware variant name, it added. 

“It then creates two registry keys under HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System, one with the name ‘legalnoticetext’ having the ransom note as its value and one named ‘legalnoticecaption’ having the value ‘PYSA’. It then releases the mutex and creates and executes a batch file (update.bat) which contains the self-deletion commands,” the advisory added.

Although the Pysa variant has only been known to be operating since December 2019, it quickly became one of the more prolific threats against healthcare. The HC3 advisory said that in 2020, it was one of the top ten ransomware variants used to target healthcare, according to Crowdstrike data, beating out many other known variants such as Clop, Lockbit, Nemty, RagnarLocker, Avvadon, MountLocker, and SunCrypt.

The Federal Bureau of Investigation (FBI) had in March last year identified a rise in Pysa ransomware targeting education institutions in 12 U.S. states and the U.K. The agency said at the time that the Pysa malware was capable of exfiltrating data and encrypting users’ critical files and data stored on their systems. The unidentified cyber actors have specifically targeted higher education, K-12 schools, and seminaries. These actors use PYSA to exfiltrate data from victims prior to encrypting victims’ systems to use as leverage in eliciting ransom payments. 

The Cyber Peace Institute has also reported last month on ransomware groups targeting healthcare during the pandemic. They found Pysa was one of the most aggressive among all ransomware groups in targeting healthcare over the last two years. The data also shows Pysa as having launched some of the largest ransomware attacks against health targets during the pandemic.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Mandiant exposes APT44, Russia's Sandworm cyber sabotage unit, targeting global critical infrastructure
Mandiant exposes APT44, Russia’s Sandworm cyber sabotage unit, targeting global critical infrastructure
Hexagon and Dragos announce technical alliance to boost industrial cybersecurity, reduce overall OT cyber risk
Hexagon and Dragos announce technical alliance to boost industrial cybersecurity, reduce overall OT cyber risk
Armis
Armis acquires Silk Security for $150 million to enhance AI-driven cybersecurity capabilities
Nozomi discovers five vulnerabilities in AMI MegaRAC SP-X BMC, exposing OT, IOT devices to RCE attacks
Nozomi secures US$1.25 million US Air Force contract to boost DoD critical infrastructure security
Industrial Cybersecurity Buyers’ Guide 2024 navigates complex industrial landscape
Industrial Cybersecurity Buyers’ Guide 2024 navigates complex industrial landscape
House Energy and Commerce Committee members seek answers from UnitedHealth on Change healthcare cyberattack
House Energy and Commerce Committee members seek answers from UnitedHealth on Change healthcare cyberattack
CISA announces Cyber Storm IX cybersecurity exercise to strengthen national cyber readiness
CISA announces Cyber Storm IX cybersecurity exercise to strengthen national cyber readiness
New NSA guidance identifies need to update AI systems to address changing risks, bolster security
New NSA guidance identifies need to update AI systems to address changing risks, bolster security
Claroty’s Team82 details cyber attack by Blackjack hackers on Moscow's emergency detection systems
Claroty’s Team82 details cyber attack by Blackjack hackers on Moscow’s emergency detection systems
Kaspersky ICS CERT reports on escalating consequences of cyber attacks on industrial organizations
Kaspersky ICS CERT reports on escalating consequences of cyber attacks on industrial organizations