A new report profiling this notorious group shows emerging trends in exploiting remote-desktop protocol rather than costly social media engineering.

Imagine receiving a ransomware demand offering this advice: “What to tell my boss? Protect Your System, Amigo.”

This is the kind of ‘cocky’ attitude that hackers behind the Mespinoza ransomware group exhibit consistently, according to a recently released lowdown by Unit 42.

The infamous group has been attacking organizations across the globe with ransom demands as high as US$1.6m, and actual payments as high as US$470,000. 

Other key findings on the group include: 

  1. Has global reach: 55% of victims identified on the leak site are in the United States. The rest are scattered across the globe in more than 20 countries including Australia, Canada, and the United Kingdom, among others.
  2. Extremely disciplined: After accessing a new network, the group looks for files with keywords such as clandestine, fraud, ssn, driver*license and passport, which suggests that they are hunting for sensitive files that would have the most impact if leaked.
  3. Targets many industries: Victim organizations are referred to as “partners”, which suggests that they see victims as business partners who fund their profits. The gang’s leak site has provided data supposedly belonging to 187 victim organizations across industries such as education, manufacturing, retail, medical, governments, among others. 
  4. Uses attack tools with creative names: A tool that creates network tunnels to siphon off data is called “MagicSocks”, and a component stored on their staging server and likely used to wrap up an attack is named “HappyEnd.bat.” 

Mespinoza attacks highlight multiple trends currently occurring amongst multiple ransomware threats. The attack originates through the proverbial front door—internet-facing RDP servers—obviating the need to craft phishing emails, perform social engineering, leverage software vulnerabilities or other more time-consuming and costly activities.

Further costs are saved through the use of numerous open-source tools available online for free, or through the use of built-in tools enabling actors to live off the land, all of which benefits bottom line expenses and profits.