Strange Ransom Threat Actor Seeks Unusual Victims

The Mespinoza ransomware gang, also going by the alias of PYSA, have come in the spotlight for their unusual approach to their operations.

The group infiltrates networks the way most other ransomware outfits do, but once inside, Mespinoza hackers search for documentation, files or other evidence that might imply the victim of the hack is somehow aware of illegal activities. The group then uses this information as leverage to extort exorbitant amounts of ransom money from its victims.

Mespinoza have been called an "extremely disciplined" ransomware gang by researchers working with Palo Alto Networks. The report by Palo Alto's Unit42 focuses on the ever-shifting tactics that ransomware threat actors employ in their ongoing search for illegal profit.

Mespinoza have been on the radar of the infosec community for some time now. The group got big enough that the FBI published an alert specifically about them in March 2021. The report came in the wake of attacks on US educational institutions, including religious seminaries, as well as similar attacks targeting UK institutions.

Once Mespinoza breaches a network, they start searching for very specific terms and keywords and if those are found, the hackers launch the full-blown ransomware attack, encrypting the network and asking for huge ransoms, often in the millions. Mespinoza would search for words such as "fraud" or "driver license" - just two examples published by Palo Alto.

The group also likes to refer to its ransomware victims as its "partners". Whether this is just for show, or Mespinoza believes this is some kind of social engineering trick to get the victims to cooperate is not too clear.

Entities targeted by the Mespinoza hackers are located all over the world. The group has hit victims in continental Europe, Brazil, South Africa and Australia. The full list, according to Palo Alto's report, includes a total of 20 countries. The overwhelming majority of victims are located in the US.

While Mespinoza are no DarkSide group or REvil gang, the fact that they have scored so many attacks and have been specifically focused in an FBI report shows that the group is successful. There is no hard information about where Mespinoza is located either.

By Zaib
July 15, 2021
Computer Security
English
July 15, 2021
Computer Security

Popular Posts

As Fears of the Coronavirus Pandemic Spread, So Does...

4 years ago

Microsoft Warns State-Backed Threat Actors Are Using AI in...

4 days ago

Trojan Al11 Malware Detection & Removal - An Essential...

11 months ago

Pinaview is a Fully-Featured Adware App

10 months ago

"Your iCloud is Being Hacked" and "Your iPhone has Been...

7 months ago

What is Lucky Ransomware?

7 months ago

Related Posts

Computer Security

Ransomware Threat Actor REvil Websites Go Offline

In the early hours of June 13 all the websites operated by REvil - one of the biggest active ransomware threat actors - went offline. There is no hard information regarding the cause of the blackout. At this point in... Read more

July 14, 2021
Computer Security

REvil Threat Actor Group Executes Two New Attacks

Ransomware threat actor group REvil seems to have pulled off two new successful attacks, according to reports. The first of the two latest victims of the hackers is a fashion clothing company called French Connection... Read more

June 25, 2021
Ransomware

The ProLock Ransomware Operators Send Faulty Decryptors to Victims Who Pay the Ransom

As most of you probably know, not all ransomware is created equal. Some families are authored by young, inexperienced hackers who borrow most of their code from open repositories. Often, they make mistakes during the... Read more

July 30, 2020
English
Loading...

Cyclonis Backup Details & Terms

The Free Basic Cyclonis Backup plan gives you 2 GB of cloud storage space with full functionality! No credit card required. Need more storage space? Purchase a larger Cyclonis Backup plan today! To learn more about our policies and pricing, see Terms of Service, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Cyclonis Password Manager Details & Terms

FREE Trial: 30-Day One-Time Offer! No credit card required for Free Trial. Full functionality for the length of the Free Trial. (Full functionality after Free Trial requires subscription purchase.) To learn more about our policies and pricing, see EULA, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Home

Products

Cyclonis Backup Cyclonis Password Manager Cyclonis World Time

Support

Help Files FAQs Downloads Inquiries & Support

Company

About Us Contact Us Report Abuse

Legal (Post Merger)

EnigmaSoft Limited (fka Cyclonis Limited)

Cyclonis Backup's Terms of Service Cyclonis Password Manager's EULA Cyclonis World Time's Terms of Service Privacy Policy Cookie Policy Special Discount Offer Terms Additional Terms & Conditions SpyHunter EULA RegHunter EULA EnigmaSoft Privacy Policy & Cookie Policy ESG Privacy Policy & Cookie Policy EnigmaSoft Discount Offer Terms ESG Discount Offer Terms

© 2017-2024 Cyclonis Ltd. CYCLONIS is a trademark of EnigmaSoft Limited (Cyclonis was merged into EnigmaSoft Limited effective November 25, 2023.) All rights reserved.

Registered Office EnigmaSoft Limited: 1 Castle Street, 3rd Floor, Dublin 2 D02 XD82, Ireland.
EnigmaSoft Limited, Private Company Limited by shares, Company Registration Number 597114.

Windows is a trademark of Microsoft, registered in the U.S. and other countries.
Mac, iPhone, iPad and App Store are trademarks of Apple Inc., registered in the U.S. and other countries.
iOS is a registered trademark of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
Android and Google Play are trademarks of Google LLC.