Report sheds light on 'cocky' but 'creative' Mespinoza ransomware group

2021-07-15 10:00

Palo Alto Networks' Unit 42 has probed the methods and tactics of the Mespinoza ransomware group, finding its messaging "Cocky" and its tools blessed with "Creative names" - but turned up no evidence to suggest the group has shifted to ransomware-as-a-service.

The Mespinoza group, while not as prolific as the better-known REvil, has enjoyed considerable success from its activities: Unit 42's investigation showed victims paying up to $470,000 per incident to unlock their files, primarily from targets in the US and UK - including an attack on Hackney Council in October last year.

While the presence of the latter in the target list may suggest a particular lack of moral fibre, the group was found least likely to target charities, defence organisations, and religious groups - though whether out of respect for their work or an understanding that bigger payouts can be had elsewhere was not clear.

Unit 42's investigation also turned up evidence to suggest earlier reports the Mespinoza group was following in REvil's footsteps and offering ransomware-as-a-service are wrong-footed.

"We have not observed this behaviour from the group," the report explained, "Based on the ransomware cases we've investigated."

Once a target is compromised, the group is "Extremely disciplined" in its approach, the report claimed.

News URL

https://go.theregister.com/feed/www.theregister.com/2021/07/15/mespinoza_ransomware_profile/

#ransomware #report