Case Study: Mespinoza/Pysa Ransomware Attack
In early 2020, a Global Holding company experienced a cyber incident after they detected encryption of some of their systems as part of a ransomware attack. The company’s IT and security team started working to stop the attack through the isolation of infected systems. At the same time, the company contacted the Check Point Incident Response Team (CPIRT) to conduct a root cause analysis and to run a wider compromise assessment on the company’s network. CPIRT provided technology and staff to conduct the investigation and assessment remotely. CPIRT analyzed infected computers and used an agentless endpoint scanning technology to assess the rest of the company network.
The analysis of the company’s infected computers revealed that the company was infected with the Mespinoza/Pysa ransomware (See Fig. 1).
Figure 1. Mespinoza/Pysa ransom note.
Ransomware are malicious software (malware) that are installed on compromised systems to make data stored on the infected devices unavailable through encryption of data and deletion of backups with financial motives. Once the data is encrypted, the attackers request payment of a ransom in order to decrypt the data. The Mespinoza/Pysa malware is typically distributed via malspam, malvertising campaign, exploit kits, drive-by downloads, and brute-forcing accounts on servers that have RDP exposed to the Internet. Mespinoza encrypts data using AES-256 and the latest version uses the .pysa extension on all encrypted files.
The root-cause analysis revealed that the company was compromised through a brute-force attack on a server that was exposed to the outside via the Remote Desktop Protocol (RDP). Once that system was compromised, it was used to move laterally in the organization. The attacker deployed malicious PowerShell scripts and toolkits to steal passwords and used compromised domain administrator accounts to access more systems in the company. In the final phase of the attack, the attacker deployed a Powershell script which was used to disable existing endpoint security and to delete existing backups and system restores prior to encryption (See Fig. 2).
Figure 2. Mespinoza/Pysa Kill Script (PowerShell)
The attacker(s) spent more than a month between the initial brute-force attack and the encryption of the data.
In addition to the root cause analysis, CPIRT used the indicators of compromise (IOC) identified during the investigation to run a custom threat hunt on the rest of the company’s network, provided active guidance to mitigate any further damage and recover from the ransomware attack, and gave recommendations to close gaps and minimize the risk of a similar incident re-occurring.