How Pysa/Mespinoza Captured the World’s Attention

After a number of ransomware groups were arrested in the United States, the Pysa ransomware crew dumped over 100 people on their leak site right away.

The name of more than 50 companies, universities, and organizations have been added to the list of victims on the group’s leak site. In March, the FBI labeled the organization Mespinoza for targeting “higher education, K-12 schools, and seminaries.”

According to the FBI, at least 12 educational institutions in the United States and the United Kingdom had been targeted by ransomware. The same year, the French National Agency for the Security of Information Systems issued a similar warning. nMultiple ransomware specialists questioned the release’s timing, noting Pysa’s habit of waiting to add new victims to their leak site.

Recorded Future ransomware expert Allan Liska told he did not believe all of the people listed on the site were new.

“We have seen them take six months, and even longer, from when a victim is first hit to when [stolen data] is published,” Liska said.

“This could be all the victims they have been stalling on publishing data, but it would represent more victims than we have seen from them the rest of the year. It is a lot of different organizations, from around the world, with no theme.”

Pysa names and shames its victims weeks, or even months, after the assaults take place, distinguish it from other ransomware gangs, according to Emsisoft threat analyst Brett Callow. He noted that it was fascinating they released so many names at once.

The dump occurred as law enforcement in the United States, Europe, and other regions took harsh measures against a number of ransomware organizations.

In response to US government officials from the Department of Justice, Treasury, and FBI announcing a slew of actions taken against some members of the REvil ransomware organization, as well as sanctions on firms that assist ransomware organizations laundering criminal money, authorities from dozens of countries arrested more than 80 people across three continents.

Operation GoldDust” has involved EU law enforcement agencies working with Europol, Eurojust, Interpol, and other law enforcement organizations for the past six months to tackle multiple ransomware organisations.

The effort involved 17 nations and hundreds of suspects have been detained in connection with ransomware organizations across Europe. This followed an operation that resulted in REvil shutting down for a second time.

In the wake of a massive cannabis seizure, authorities arrested two Chicago police officers on drug charges. The timing of the Pysa’s dump, according to Callow and Liska, was odd given the measures being taken by law enforcement.

“You can’t help but wonder whether their doing so now is in response to the news in relation to REvil — either a middle finger to law enforcement or, perhaps, an expression of confidence in case any of their affiliates are starting to get cold feet,” Callow.

Liska agreed that it appeared as though Pysa was “giving the finger” to law enforcement after a tough day for ransomware organizations. The FBI revealed in its March announcement that Pysa, which emerged in 2019, is recognized for exfiltrating data from victims before encrypting their systems “to use as leverage in extortion.”

According to the study, Pysa has launched attacks on a wide range of organizations, including educational institutions, foreign governments, private businesses, and the healthcare sector.

“In previous incidents, cyber actors exfiltrated employment records that contained personally identifiable information (PII), payroll tax information, and other data that could be used to extort victims to pay a ransom,” the FBI said in the notice.

“The cyber actors have uploaded stolen data to MEGA.NZ, a cloud storage and file sharing service, by uploading the data through the MEGA website or by installing the MEGA client application directly on a victim’s computer. However, in the past, actors have used other methods of exfiltrating data that leaves less evidence of what was stolen.”

Emsisoft provided a profile on the ransomware group in July, stating that they operate using the ransomware-as-a-service business model and frequently dump stolen data “even after the victim firm has paid the ransom.”

They advised clients against cooperating with Emsisoft, telling them that Mespinoza’s encryption method can be broken if the victim obtains the decryption keys.

“Since Mespinoza was first discovered, there have been 531 submissions to ID Ransomware, an online tool that helps the victims of ransomware identify which ransomware has encrypted their files,” Emsisoft researchers wrote in July.

“We estimate that only 25 percent of victims make a submission to ID Ransomware, which means there may have been a total of 2,124 Mespinoza incidents since the ransomware’s inception. During this time, the group has also published on its leak site the stolen data of at least 104 organizations.”