PYSA (Mesiponza) Ransomware: A Brief Analysis

by | Mar 19, 2021 | Uncategorized | 0 comments

PYSA (Mesiponza) Ransomware

Source: Ransomware Graphic by Charlie Coombs

The State of Ransomware

The trend of Ransomware attacks continues to grow, inflicting damages to almost every business around the globe. According to research, a company is attacked by a cybercriminal every 11 seconds, and damages caused by these attacks are expected to exceed $20 Billion in 2021

Source : Deloitte Cyber Threat Intelligence Report 2020

Over the years, some noticeable ransomware attacks have caused many businesses to cripple and forced businesses to pay a hefty ransom.

Source: SafetyDetectives

Below are some of the attack vectors involved in ransomware attacks recorded in the year 2020.

Source: Trend Micro, Stages of Ransomware Attack 2020

PYSA (Mesiponza) Ransomware Overview

In the upcoming sections, we discuss a financially motivated threat actor, “PYSA” (A.K.A Mesiponza), whose targets have included government, financial, I.T., health care, educational institutes, and the public sector. This ransomware was first identified in October 2018. An updated version of this ransomware was seen in December 2019. PYSA is a hazardous virus known for encrypting critical user files on the system. Victims must pay the ransom to get the decryption key for unlocking the encrypted files.

PYSA targeted countries including Australia, Brazil, Canada, Colombia, France, Germany, Italy, Mexico, Spain, the United Kingdom, and the United States.

Source: Security Boulevard

Technical Analysis

The PYSA (Mesiponza) has various indicators of compromise, infecting targets using different tactics and taking advantage of particular vulnerabilities. We are going to discuss some of the tactics here.

Mesiponza has been classified as a modern threat actor that targets high-value resources and breaches their networks before manually installing ransomware.

Mesiponza ransomware showed its appearance in October 2019 and spread its infection via spam mails. The initial version of this ransomware encrypted targeted files with the “.locked” extension. The newer version of this ransomware appeared in December 2019. The encrypted file extension was “.pysa,” hence the name PYSA was given to this ransomware.

The attackers leave a ransomware note in the “Readme.README” file. The ransomware note states that all files and backups on the drive have been encrypted. The victims are advised not to restart the computer and to contact the given email addresses. They offer to decrypt any 2 files that do not exceed 2MB.

Source: Ransomware Note, PCrisk

Below is a screenshot of the files infected by the Mesiponza ransomware

Source: PCrisk

Initial Access / Exploitation Techniques Used

According to France’s cyber-security agency CERT, it had already warned that Mesiponza was targeting local government networks. The threat group gained initial access by using Remote Desktop Protocol (RDP) exposed to the internet and brute-forcing. The attackers then deployed credential dumping software, known as Mimikatz, together with reconnaissance tools such as Advanced I.P. scanners and Advanced port scanners.

According to DFIR Report, the intrusion took place when the attackers were able to use RDP, which was exposed to the internet on a Windows-based machine. The adversaries were able to use a valid Administrator account to log in to the machine. During the investigation, it was found that the login was made from a TOR exit node. 3 different TOR exit nodes were used to maintain access to the breached environment. The account used to gain initial access had enough privileges to initiate lateral movement and reach the domain controller. Empire, a post-exploitation framework (PowerShell windows agent), was used in conjunction with network scanning. The Empire C2 server remained active throughout the intrusion and served as an alternate channel if the RDP connection was cut off. Lateral movement was mainly done using different legitimate accounts on RDP and PsExec to execute scripts for credential dumping.

After initial access, the threat actor started to disable security features using Local security policy Editor and other similar tools. According to researchers, an offensive tool, Koadic, was used. Koadic is a post-exploitation tool that can remain inside the memory using VBS and Jscript. The threat actors then execute PowerShell scripts and ransomware execution files. The script ensured that all defense mechanisms, including the firewall, allowed RDP to be maintained and allowed the ransomware to encrypt the files.

MITRE Techniques

Following are some of the MITRE Techniques that were involved in the Mesiponza/PYSA attack:

  • External Remote Services – T1133
  • Valid Accounts – T1078
  • Graphical User Interface – T1061
  • Mshta – T1218.005
  • PowerShell – T1059.001
  • Local Account – T1087.001
  • Remote System Discovery – T1018
  • File and Directory Discovery – T1083
  • Domain Trust Discovery – T1482
  • Account Discovery – T1087
  • Scheduled Task – T1053.005
  • Lateral Tool Transfer – T1570
  • SMB/Windows Admin Shares – T1021.002
  • Remote Desktop Protocol – T1021.001
  • Credential Dumping – T1003
  • LSASS Memory – T1003.001
  • Process Discovery – T1057
  • Standard Application Layer Protocol – T1071
  • Exfiltration Over C2 Channel – T1041
  • Data Encrypted for Impact – T1486
  • Rundll32 – T1218.011

Security Recommendations

Given the aforementioned techniques used by threat groups, organizations should know how these ransomware threat groups operate and infect their targets. The ransomware attack stages can help organizations take immediate mitigation steps against the attack vectors that form the basis of initial compromise, e.g., phishing/spam emails and unpatched vulnerabilities.

Below are some security recommendations :

  1. Frequently Backing up data: Depending on the sensitivity of data stored on the systems and the risks associated with them, opt for 321 backup strategies.
  2. Segregation of Network & Access Control over Shared drives: Segregate networks properly, keeping critical systems and servers in DMZ behind an N.G. Firewall where possible. Limit access to shared drives and folders on systems and servers. Turn off file sharing and shared resources to limit the propagation of ransomware to other devices on the network.
  3. Make use of Multifactor Authentication: Employ multi-factor authentication to minimize the risk associated with threat actors who use lateral movement to compromise systems.
  4. Update and Patch systems: Keep your systems, applications, and network devices updated, patching them as soon as vulnerabilities are discovered.
  5. Implement Least Privilege: Applying this strategy will deny users the ability to execute unwanted applications and tools that lead to malicious file execution.

Ransomware mitigation techniques are not limited to the above recommendations. There are many other techniques & best practices, such as NIST’s special publication NIST SP 1800-11, which provides detailed recommendations and case studies related to ransomware prevention & mitigation.