Written by: Eldar Azan
The COVID-19 pandemic has created a perfect opportunity for cyber-criminals to step up their attacks. Advanced Persistent Threat (APT) groups always seem to leverage crises – such as the pandemic – to create topical campaigns, such as using Coronavirus instructions and attachments to masquerade and hide malware.
These types of attacks have been used to target every type of institution, from banks and financial services providers to government institutions. Most commonly, these attacks use ransomware – including the recently popular Mespinoza, also known as Pysa due to the .pysa extension appended during encryption.
Mespinoza was first seen in the wild around October 2019, used by an unknown APT group. The purpose of the ransomware is to restrict user access to the private or business-critical files in the organization, encrypt these files, and spread the ransomware across the network to encrypt as many files related to the organization as possible.
The attackers demand payments from the victims to retrieve the files which were stolen or encrypted, usually using encrypted emails and the company’s website to contact the victims. Attackers also rely on Bitcoin as the payment method because of its ability to keep anonymous any identities during a transaction.
Mespinoza was first discovered in October 2019, but its first real large-scale campaign came a year later, in October 2020. Mespinoza (or Pysa) is associated with an unknown French APT group and was successfully deployed in an attack when the group claimed responsibility for a cyberattack on the East London Hackney Council – the local government authority for Borough of Hackney. The Council houses sensitive citizen information and is the billing authority for taxes.
According to security researchers, Mespinoza has successfully stolen important data such as passports, rent bills, crew data, and intelligence information on the security community. The data stolen in successful Mespinoza/Pysa attacks has been leaked on public-facing websites.
Mespinoza or Pysa holds a Python variant of the ransomware that can easily be executed using a Python interpreter.
Unlike other ransomware, Pysa does not delete shadow copies before encryption, which means that backups will provide a viable countermeasure to remediate the attack.
The file’s magic bytes indicate that the file is Portable Executable for Microsoft Windows.
|Magic bytes||4D 5A 90 00 03 00 00|
|File size||500.00 KB (512000 bytes)|
|File type||PE32 executable Win32 EXE|
First, we verify that the file is an executable and not packed before dynamically analyzing it.
Next, we review the static strings and imports of the file that indicate where to look when dynamically executing:
Mespinoza.exe spawns a command-line child process “ShellExecute”, as we suspected from the static analysis.
This command will execute the batch file.
Functionality and Behavior
Much like other ransomware variants, Mespinoza produces two separate lists.
The first list is the whitelist, or the exclude list. These paths will be excluded from the encryption process to allow the victim access to the payment process and the data decryption. The malware won’t encrypt crucial files for the operating system, but will focus on the important data saved on the endpoint.
The second list is the blacklist. This list contains extensions that the malware will target for encryption by adding to the original extension a .pysa extension with encryption. These files won’t be accessible to the user without the decryption key.
Found in the memory strings
Among the first files that the malware encrypts are the debugging tools that exist in the operating system, adding a .pysa extension. This technique can be used by the authors of ransomware to avoid analysis, thus extending the life of the ransomware attack.
The ransomware note usually contains instructions about payment information and consequences if the instructions are not followed.
In every path that the malware encrypts files, a “Readme” note is dropped to the same path.
The ransomware note contains instructions on how to decrypt the data along with email and domain contact details.
Sample Mespinoza or Pysa note:
The purpose of the persistency technique used by the malware is to ensure that the processes will remain able to communicate and that the attack will be completed even if it is interrupted (which means the malware will continue running in the backgrouond even after rebooting and logging back in). This technique could be implemented via known common methods such as Registry Keys, Schedule Task, DLLs Applications, Startup Folders, Process Injections, etc.
In this case, we are witnessing the persistence of the ransomware note.
Changing values on the following registry key using the API call “RegSetValueEx”
These registry keys are responsible for displaying messages during the Windows startup.
After rebooting the system we receive the following message:
The next step of the attack is to clean the malware’s tracks. Mespinoza creates a batch script file that is executed in the last phase of the attack.
The batch file is created in the following path:
Example of data leaked on a public-facing website is shown below.
Cynet 360 protects your environment against this type of attack by detecting and preventing it from executing its malicious activities on hosts where the Cynet agent is deployed.
Note that our environment action is set to alert only, so as not to interrupt the Mespinoza ransomware flow. This lets Cynet detect every step of the attack.
The attack flow is detected using several detection mechanisms:
Malicious binary – Cynet detects a file that is flagged as malicious in Cynet’s EPS (endpoint scanner) built-in threat intelligence database. This database contains only critical IOCs (such as IOCs of ransomware, hacking tools, etc.).
Attempt to Run – Cynet’s AV/AI engine detects a malicious file that was loaded into memory.
File Dumped on the Disk – Cynet’s AV/AI engine detects a malicious file that was dumped on the disk.
Memory Pattern – Cynet detects when a file is loaded into memory and runs unique memory strings associated with the malware.
Ransomware Heuristic – Cynet detects suspicious behavior which can be associated with Ransomware (such as changing file extensions to “.Lock”).
Additionally, in many cases we have observed a pattern where ransomware targets vssadmin.
Advanced Detection Technology – Cynet detects execution of a command related to vssadmin activity. Vssadmin can be used to delete all the backups on the hosts and can be related to ransomware activity.
(Not related to the sample investigation.)
The Cynet CyOps team is available to clients 24×7 for any issues, questions, or comments related to Cynet 360. For additional information, you may contact us directly at:
CyOps Mailbox – [email protected]
CyOps Team Leader – [email protected]
CyOps Manager – [email protected]
Israel +972 72-3369736
UK +44 2032 909051
US +1 (347) 474-0048