Mespinoza, Pysa Ransomware Pose Threat to Healthcare Cybersecurity

January 11, 2022 - The Health Sector Cybersecurity Coordination Center (HC3) issued a brief to warn healthcare organizations of Mespinoza, a cybercriminal group known to operate Pysa ransomware. The group has been active since 2018 and has a history of targeting the healthcare sector, the brief explained.

Mespinoza also goes by Gold Burlap and Cyborg Spider and is primarily financially motivated. The group runs a leak site known as “Pysa’s Partners,” on which it uses “’name and shame’ tactics to apply additional pressure to compel victims to pay ransoms,” HC3 cautioned.

The group began its operations in October 2018 and developed its own ransomware variant, Pysa. By December 2019, the group had begun encrypting files with the .pysa extension. However, researchers have also observed the group using other tools such as Advanced Port Scanner, DNSGo RAT, PEASS, PowerShell Empire, and ADRecon.

“Although the Pysa variant has only been known to be operating since December 2019, it quickly became one of the more prolific threats against healthcare,” HC3 noted. HC3 identified Pysa as one of the top ten global healthcare threat actors in Q3 2021.

From a technical standpoint, Pysa is known to leverage Remote Desktop Protocol (RDP), PowerShell Empire, and Kodiac, among other command and control communications tools. As of May 2021, threat actors have been using Pysa ransomware to target VMWare ESXi systems for encryption. In March 2021, the FBI released a flash alert alerting organizations to these exploits.

“Many of the fundamental operational aspects of the Mespinioza group or Pysa ransomware variant are not significantly different than other similar cybercriminal groups or ransomware,” HC3 emphasized.

As a result, basic cybersecurity best practices should be adhered to in order to mitigate risk. HC3 recommended that organizations design and operate enterprise networks with defense in depth and the principle-of-least-privilege practices in mind.

“This includes architecting the network in a segmented way that balances security with operations, managing multiple layers of filtering and threat detection applications, and ensuring periodic reviews of user requirements and privileges,” the brief maintained.

“For healthcare operations, ransomware used to disrupt operations and data theft (for subsequent sale on the dark web) are two of the more significant threats and these principles can help defend against such attacks.”

Analysts also recommended protecting against the most common attack vectors by operating and maintaining a comprehensive vulnerability management program. Healthcare organizations should secure virtual private networks (VPNs) and applications that use RDP in order to minimize exposure.

Constand network monitoring, spam filtering, and endpoint security should be leveraged in order to prevent phishing attacks and exploitation. HC3 stressed the need for 24/7 network monitoring.

“An effort should be made to constantly gather and deploy indicators of compromise in accordance with the organizational risk management plan,” Hc3 concluded.

“It’s worth noting that infrastructure associated [indicators of compromise] often are often abandoned by cybercriminals after they become public but can also be reused over time as well.”