{ "id": "d7fe20c8-5307-4ef1-b1b1-ccc8c257761e", "created_at": "2026-04-06T00:19:56.665356Z", "updated_at": "2026-04-10T13:12:52.055696Z", "deleted_at": null, "sha1_hash": "5e75110cab95c89fdc4c0a559ff5a2c3d68e27d8", "title": "Another one for the collection - mespinoza (pysa) ransomware", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 520696, "plain_text": "Another one for the collection - mespinoza (pysa) ransomware\r\nBy f0wL\r\nPublished: 2019-12-14 · Archived: 2026-04-05 21:05:33 UTC\r\nBack in October of 2019 the Mespinoza Ransomware family first surfaced via Malspam. On the 14th of\r\nDecember it returned with a new extension .pysa so let's see if any changes have been made.\r\nFun Fact: The Extension \"pysa\" is probably derived from the Zanzibari Coin with the same name. Apparently it's\r\nquite popular with collectors. But enough of the pocket change, so let me put my two cents in on this sample :D\r\nA general disclaimer as always: downloading and running the samples linked below will lead to the encryption\r\nof your personal data, so be f$cking careful. Also check with your local laws as owning malware binaries/\r\nsources might be illegal depending on where you live.\r\nMespinoza (.pysa) @ AnyRun | VirusTotal | HybridAnalysis --\u003e sha256\r\na18c85399cd1ec3f1ec85cd66ff2e97a0dcf7ccb17ecf697a5376da8eda4d327\r\nAs always: Running Detect it easy on the executable:\r\nhttps://dissectingmalwa.re/another-one-for-the-collection-mespinoza-pysa-ransomware.html\r\nPage 1 of 8\n\nOne of the first things it will do is modify the SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\r\nRegistry Key to set the following values. Unfortunately I couldn't confirm this action in a sandbox with RegShot\r\nyet.\r\nTo retain basic functions of the Operating System Mespinoza will spare certain directories related directly to\r\nWindows and critical files.\r\nhttps://dissectingmalwa.re/another-one-for-the-collection-mespinoza-pysa-ransomware.html\r\nPage 2 of 8\n\nIt will also specifically look for SQL related processes. I will have to confirm this with a debugger, but most of the\r\ntime database processes are killed by Ransomware to disrupt the service and make the files available for\r\nencryption.\r\nOf course Mespinoza won't stop with the system drive so it will check for connected removable media or shared\r\nnetwork drives. GetDriveTypeW will tell it which type of media the selected device belongs to.\r\nhttps://dissectingmalwa.re/another-one-for-the-collection-mespinoza-pysa-ransomware.html\r\nPage 3 of 8\n\nUp until now I have not seen a ransomware sample running verclsid.exe, so let's investigate: {0B2C9183-C9FA-4C53-AE21-C900B0C39965} corresponds to C:\\Windows\\system32\\SearchFolder.dll and {0C733A8A-2A1C-11CE-ADE5-00AA0044773D} matches the CLSID of IDBProperties which is part of the Microsoft SQL Server.\r\nC:\\Windows\\system32\\verclsid.exe\" /S /C {0B2C9183-C9FA-4C53-AE21-C900B0C39965} /I {0C733A8A-2A1C-11CE\r\nAfter looking at a string dump I found this hex string which is probably the key blob. I'll try to verify this with\r\nx32dbg later.\r\n30820220300D06092A864886F70D01010105000382020D003082020802820201009CC3A0141B5488CD31B7D2DD49F9221483C\r\nTurns out that the encrypted key is appended to the end of each file affected by the ransomware (which is a\r\ncommon tactic for some strains).\r\nhttps://dissectingmalwa.re/another-one-for-the-collection-mespinoza-pysa-ransomware.html\r\nPage 4 of 8\n\nAs this article is work in progress I will update it as soon as I can. As I did not see the Malware deleting the\r\nVolume Shadow Copies until now, so one option for possible victims would be to run Photorec or Recuva to check\r\nfor recoverable files.\r\nUpdate 22.01.2020:\r\nThere's a new version of the Mespinoza / .pysa Variant compiled on the 18th of Jańuary:\r\nMespinoza (.pysa) @ AnyRun --\u003e `sha256\r\ne9662b468135f758a9487a1be50159ef57f3050b753de2915763b4ed78839ead\r\nIn the screenshot below you can see a comparison of the old sample (1.exe) and the new one (1.bin). Exept for a\r\nfew minor changes the two samples are mostly identical:\r\nhttps://dissectingmalwa.re/another-one-for-the-collection-mespinoza-pysa-ransomware.html\r\nPage 5 of 8\n\nThe public Key used by the criminals is still the same (converted from hex to raw, key blob located in the binary):\r\nMIICIDANBgkqhkiG9w0BAQEFAAOCAg0AMIICCAKCAgEA6dYN+TogNihncAJNXRhtUeyj7EQ/BIGbupIM\r\nq5PRI3a1+HqMXEk5vdb3NhzFBUoVhY/jTEE71flTwHM73q9PrgovaYSl8HeXZaU+HkqjF7Ofu4Qf+SDk\r\noPxcubX4cFYV1r97z9vcFgFehzk+9CofEnHWEo2N656QGRXeO0PaJX/riiL672KHzMDNKzfZQnmpMHL+\r\nKzeyJaaPVVz7V9qCCkjT+IT26xtG2jY5tggepfLQfB6ExxaoJ1j0GapQMIZ3k6F1AtBmfcNvyu3cW29a\r\nbIOCsu1QRzfq6iSau2xx0ZaRz0l3vgU79PCLtsGw7BNPtKZdDL9dA879aKWlDBIizc3lg4IpHxdf5MOT\r\nmpQR0kst3kyOieNlIjEAyewyRQ788o3qs8k9SS+89CD916AMEVqRcQH8ugBv5ocs0xAf+2bHe13ogIRc\r\niTz9ALTvtMSqhNptEBP/z+lIhuMTs2MrJRTaQLpVHUIlqAcQuLm8AHIYdGmBXEvUqPjRIo+L9Jb+P1XU\r\ncXYHvOZUBV0VFSOoyQeqiBeaYS+PhCV6TmTRHsH/8XkPt/eGXm3Dk4feYNaZ5a9uQKYc9Akt6G0N+P8T\r\n7zobyAWfQNqGFJhklh6JEAJw58XCJNdmETT68kfwtQ+XFB4caUHessaJ369lprAj4TjDUFfYkkm74ntG\r\n4nVtL+sCARE===\r\nThe Ransomnote contents stayed the same, exept for the contact email addresses. Here are the contents of\r\nReadme.README:\r\nHi Company,\r\nEvery byte on any types of your devices was encrypted.\r\nhttps://dissectingmalwa.re/another-one-for-the-collection-mespinoza-pysa-ransomware.html\r\nPage 6 of 8\n\nDon't try to use backups because it were encrypted too.\r\nTo get all your data back contact us:\r\nraingemaximo@protonmail.com\r\ngareth.mckie3l@protonmail.com\r\n--------------\r\nFAQ:\r\n1.\r\n Q: How can I make sure you don't fooling me?\r\n A: You can send us 2 files(max 2mb).\r\n2.\r\n Q: What to do to get all data back?\r\n A: Don't restart the computer, don't move files and write us.\r\n3.\r\n Q: What to tell my boss?\r\n A: Protect Your System Amigo.\r\nMITRE ATT\u0026CK\r\nT1215 --\u003e Kernel Modules and Extensions --\u003e Persistence\r\nT1045 --\u003e Software Packing --\u003e Defense Evasion\r\nT1012 --\u003e Query Registry --\u003e Discovery\r\nT1114 --\u003e Email Collection --\u003e Collection\r\nIOCs\r\nMespinoza (pysa)\r\n1.exe --\u003e SHA256: a18c85399cd1ec3f1ec85cd66ff2e97a0dcf7ccb17ecf697a5376da8eda4d327\r\n SSDEEP: 12288:aVchT6oi+OeO+OeNhBBhhBBpiOTn5CjGGc4dXOsOjKf:aVc1Jiin5yGpMIj\r\nFile size: 504.50 KB\r\nAssociated Files\r\nReadme.README\r\n%temp%\\update.bat\r\nhttps://dissectingmalwa.re/another-one-for-the-collection-mespinoza-pysa-ransomware.html\r\nPage 7 of 8\n\nE-Mail Addresses\r\naireyeric@protonmail[.]com\r\nellershaw.kiley@protonmail[.]com\r\nUsed in previous campaigns:\r\nmespinoza980@protonmail[.]com\r\nalanson_street8@protonmail[.]com\r\nlambchristoffer@protonmail[.]com\r\nRansomnote\r\nHi Company,\r\nEvery byte on any types of your devices was encrypted.\r\nDon't try to use backups because it were encrypted too.\r\nTo get all your data back contact us:\r\naireyeric@protonmail.com\r\nellershaw.kiley@protonmail.com\r\n--------------\r\nFAQ:\r\n1.\r\n Q: How can I make sure you don't fooling me?\r\n A: You can send us 2 files(max 2mb).\r\n2.\r\n Q: What to do to get all data back?\r\n A: Don't restart the computer, don't move files and write us.\r\n3.\r\n Q: What to tell my boss?\r\n A: Protect Your System Amigo.\r\nSource: https://dissectingmalwa.re/another-one-for-the-collection-mespinoza-pysa-ransomware.html\r\nhttps://dissectingmalwa.re/another-one-for-the-collection-mespinoza-pysa-ransomware.html\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://dissectingmalwa.re/another-one-for-the-collection-mespinoza-pysa-ransomware.html" ], "report_names": [ "another-one-for-the-collection-mespinoza-pysa-ransomware.html" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434796, "ts_updated_at": 1775826772, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/5e75110cab95c89fdc4c0a559ff5a2c3d68e27d8.pdf", "text": "https://archive.orkl.eu/5e75110cab95c89fdc4c0a559ff5a2c3d68e27d8.txt", "img": "https://archive.orkl.eu/5e75110cab95c89fdc4c0a559ff5a2c3d68e27d8.jpg" } }