Threat Watch

Ransomware Group Searches for Evidence of Illegal Activity When Attacking Companies

Researchers at Palo Alto have outlined the details of a new attack campaign by the Mespinoza ransomware group, also known as PYSA. The group has been around since April 2020 and is known to target victims all over the world, though they mainly focus on companies in the US. Their victims have been in multiple industries including manufacturing, education, retail, engineering, and government. In their most recent attack, the group will use compromised credentials, which they likely stole through phishing, to access a company’s network through Remote Desktop Protocol (RDP) and gain a foothold that is undetected. The group will then search for any documents, email or other material containing compromising information that could be used for blackmail and a double extortion, in addition to the ransomware extortion. The group takes the attack a step further by installing an additional backdoor on the victim’s networks allowing them to gain persistence in the network.


The group has asked for ransoms up to 1.5 million dollars. The ransom amount likely changes based on the sensitivity of the information that the group can find on a victim’s network that can be used for blackmail. By carefully reviewing the companies’ documents before beginning their ransomware attack, the group has been able to keep their ransom demands high resulting in them making a lot of money. The group does not show signs of slowing down. RDP has continued to be a common attack vector for threat groups since so many people are working from home and many remote access solutions have been a security problem for companies that do not have it configured correctly. Employees should be aware of phishing emails attempting to steal their credentials. In this case, the group relies on legitimate credentials to log in to RDP so that the attack can go undetected. Implementing a strong VPN solution, keeping servers updated with security patches, and requiring Multi-Factor Authentication (MFA) for all remote logins are all important steps to keep attackers from exploiting remote access, even if they obtain a user’s password. Proper monitoring should be in place to identify attacks quickly. This includes monitoring such as Binary Defense’s Managed Detection and Response that looks for attacks being carried out through behavior-based detection and works to stop them through 24/7 Security Operations and response.