# Another one for the collection - Mespinoza (Pysa) Ransomware

**[dissectingmalwa.re/another-one-for-the-collection-mespinoza-pysa-ransomware.html](https://dissectingmalwa.re/another-one-for-the-collection-mespinoza-pysa-ransomware.html)**

Sat 14 December 2019 in [Ransomware](https://dissectingmalwa.re/category/ransomware.html)

Back in October of 2019 the Mespinoza Ransomware family first surfaced via Malspam. On
the 14th of December it returned with a new extension .pysa so let's see if any changes have
been made.

Fun Fact: The Extension "pysa" is probably derived from the Zanzibari Coin with the same
name. Apparently it's quite popular with collectors. But enough of the pocket change, so let
me put my two cents in on this sample :D

**_A general disclaimer as always: downloading and running the samples linked below_**
**_will lead to the encryption of your personal data, so be f$cking careful. Also check_**
**_with your local laws as owning malware binaries/ sources might be illegal depending_**
**_on where you live._**

[Mespinoza (.pysa) @ AnyRun |](https://app.any.run/tasks/858e7e0f-59c5-4f58-b426-1cef39a05cbc/) [VirusTotal |](https://www.virustotal.com/gui/file/a18c85399cd1ec3f1ec85cd66ff2e97a0dcf7ccb17ecf697a5376da8eda4d327/detection) [HybridAnalysis -->](https://www.hybrid-analysis.com/sample/a18c85399cd1ec3f1ec85cd66ff2e97a0dcf7ccb17ecf697a5376da8eda4d327) `sha256`
```
a18c85399cd1ec3f1ec85cd66ff2e97a0dcf7ccb17ecf697a5376da8eda4d327

```
As always: Running Detect it easy on the executable:


-----

One of the first things it will do is modify the
```
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Registry Key to set

```
the following values. Unfortunately I couldn't confirm this action in a sandbox with RegShot
yet.

To retain basic functions of the Operating System Mespinoza will spare certain directories
related directly to Windows and critical files.


-----

It will also specifically look for SQL related processes. I will have to confirm this with a
debugger, but most of the time database processes are killed by Ransomware to disrupt the
service and make the files available for encryption.

Of course Mespinoza won't stop with the system drive so it will check for connected
removable media or shared network drives. GetDriveTypeW will tell it which type of media
the selected device belongs to.


-----

Up until now I have not seen a ransomware sample running verclsid.exe, so let's investigate:
_{0B2C9183-C9FA-4C53-AE21-C900B0C39965} corresponds to_
C:\Windows\system32\SearchFolder.dll and {0C733A8A-2A1C-11CE-ADE5-00AA0044773D}
matches the CLSID of IDBProperties which is part of the Microsoft SQL Server.
```
C:\Windows\system32\verclsid.exe" /S /C {0B2C9183-C9FA-4C53-AE21-C900B0C39965} /I
{0C733A8A-2A1C-11CE-ADE5-00AA0044773D} /X 0x401

```
After looking at a string dump I found this hex string which is probably the key blob. I'll try to
verify this with x32dbg later.
```
30820220300D06092A864886F70D01010105000382020D003082020802820201009CC3A0141B5488CD31B7

```
Turns out that the encrypted key is appended to the end of each file affected by the
ransomware (which is a common tactic for some strains).


-----

As this article is work in progress I will update it as soon as I can. As I did not see the
Malware deleting the Volume Shadow Copies until now, so one option for possible victims
[would be to run Photorec or](https://www.cgsecurity.org/wiki/PhotoRec) [Recuva to check for recoverable files.](https://www.ccleaner.com/recuva)

## Update 22.01.2020:

There's a new version of the Mespinoza / .pysa Variant compiled on the 18th of Jańuary:

[Mespinoza (.pysa) @ AnyRun -->](https://app.any.run/tasks/858e7e0f-59c5-4f58-b426-1cef39a05cbc/) ``sha256`
```
e9662b468135f758a9487a1be50159ef57f3050b753de2915763b4ed78839ead

```
In the screenshot below you can see a comparison of the old sample (1.exe) and the new
one (1.bin). Exept for a few minor changes the two samples are mostly identical:


-----

The public Key used by the criminals is still the same (converted from hex to raw, key blob
located in the binary):
```
MIICIDANBgkqhkiG9w0BAQEFAAOCAg0AMIICCAKCAgEA6dYN+TogNihncAJNXRhtUeyj7EQ/BIGbupIM
q5PRI3a1+HqMXEk5vdb3NhzFBUoVhY/jTEE71flTwHM73q9PrgovaYSl8HeXZaU+HkqjF7Ofu4Qf+SDk
oPxcubX4cFYV1r97z9vcFgFehzk+9CofEnHWEo2N656QGRXeO0PaJX/riiL672KHzMDNKzfZQnmpMHL+
KzeyJaaPVVz7V9qCCkjT+IT26xtG2jY5tggepfLQfB6ExxaoJ1j0GapQMIZ3k6F1AtBmfcNvyu3cW29a
bIOCsu1QRzfq6iSau2xx0ZaRz0l3vgU79PCLtsGw7BNPtKZdDL9dA879aKWlDBIizc3lg4IpHxdf5MOT
mpQR0kst3kyOieNlIjEAyewyRQ788o3qs8k9SS+89CD916AMEVqRcQH8ugBv5ocs0xAf+2bHe13ogIRc
iTz9ALTvtMSqhNptEBP/z+lIhuMTs2MrJRTaQLpVHUIlqAcQuLm8AHIYdGmBXEvUqPjRIo+L9Jb+P1XU
cXYHvOZUBV0VFSOoyQeqiBeaYS+PhCV6TmTRHsH/8XkPt/eGXm3Dk4feYNaZ5a9uQKYc9Akt6G0N+P8T
7zobyAWfQNqGFJhklh6JEAJw58XCJNdmETT68kfwtQ+XFB4caUHessaJ369lprAj4TjDUFfYkkm74ntG
4nVtL+sCARE===

```
The Ransomnote contents stayed the same, exept for the contact email addresses. Here are
the contents of Readme.README:


-----

```
Hi Company,
Every byte on any types of your devices was encrypted.
Don't try to use backups because it were encrypted too.
To get all your data back contact us:
raingemaximo@protonmail.com
gareth.mckie3l@protonmail.com
-------------FAQ:
1.
  Q: How can I make sure you don't fooling me?
  A: You can send us 2 files(max 2mb).
2.
  Q: What to do to get all data back?
  A: Don't restart the computer, don't move files and write us.
3.
  Q: What to tell my boss?
  A: Protect Your System Amigo.

## MITRE ATT&CK

```
_T1215 --> Kernel Modules and Extensions --> Persistence_

_T1045 --> Software Packing --> Defense Evasion_

_T1012 --> Query Registry --> Discovery_

_T1114 --> Email Collection --> Collection_

## IOCs

### Mespinoza (pysa)
```
1.exe --> SHA256: a18c85399cd1ec3f1ec85cd66ff2e97a0dcf7ccb17ecf697a5376da8eda4d327
     SSDEEP: 12288:aVchT6oi+OeO+OeNhBBhhBBpiOTn5CjGGc4dXOsOjKf:aVc1Jiin5yGpMIj
File size: 504.50 KB

 Associated Files
Readme.README
%temp%\update.bat

 E-Mail Addresses

```

-----

```
aireyeric@protonmail[.]com
ellershaw.kiley@protonmail[.]com
Used in previous campaigns:
mespinoza980@protonmail[.]com
alanson_street8@protonmail[.]com
lambchristoffer@protonmail[.]com

### Ransomnote
Hi Company,
Every byte on any types of your devices was encrypted.
Don't try to use backups because it were encrypted too.
To get all your data back contact us:
aireyeric@protonmail.com
ellershaw.kiley@protonmail.com
-------------FAQ:
1.
  Q: How can I make sure you don't fooling me?
  A: You can send us 2 files(max 2mb).
2.
  Q: What to do to get all data back?
  A: Don't restart the computer, don't move files and write us.
3.
  Q: What to tell my boss?
  A: Protect Your System Amigo.

```

-----