Page 1
	ATTACKS BY THE
RANSOMWARE
MESPINOZA / PYSA
TLP: WHITE
TLP: WHITE
________________


Page 2
	Mespinoza / Pysa ransomware attacks
Summary
1 Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3
2 Procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3
2.1 The Mespinoza / Pysa ransomware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3
2.1.1 Two different versions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3
2.1.2 Ransom demand messages. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3
2.1.3 A third version? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
4
2.2 Tactics, Techniques and Procedures. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
4
2.2.1 Vector of infection, recognition and lateralization. . . . . . . . . . . . . . . . . . . . . . .
4
2.3 Stealth and staying on the information system. . . . . . . . . . . . . . . . . . . . . . . . . . . . .
4
2.4 Possible use of Empire . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
5
2.5 Comments. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
5
3 Recommendations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
5
Page 2 of 7
TLP: WHITE
TLP: WHITE
________________


Page 3
	Mespinoza / Pysa ransomware attacks
1 Background
The ANSSI was recently informed of computer attacks targeting in particular French local authorities.
here. During these attacks, ransomware-type malware was used, rendering certain files
unusable. The origin of these attacks is unknown to date, and analyzes are currently underway. However,
ransomware attacks are generally carried out opportunistically by actors motivated by
lucrative goals, and against various entities.
The purpose of this document is to describe the operating mode used during these attacks and the indicators of compromise.
associated mission, then provide recommendations to limit the impact of this type of incident.
2 Procedure
The compromise presented in this document affected interconnected information systems, and appears to
mainly use a variant of ransomware known as an open source under the name of Mespinoza . The
technical elements set out below are the result of ongoing analyzes and are subject to change.
2.1 The Mespinoza / Pysa ransomware
The Mespinoza ransomware has been used since October 2018 at least. Early versions produced files
encrypted with the extension ".locked", common to many ransomware. Since December 2019, a new
old version of Mespinoza is documented in open source, sometimes called Pysa because it produces files
encrypted with the extension ".pysa".
2.1.1 Two different versions
The ransomware used in this attack appears to be a variant of Pysa . Two versions have been discovered.
green during investigations:
• An executable file named "svchost.exe". This file was accompanied by several .bat scripts including
responsible for copying the executable to the folder "C: \ windows \ temp" (which is not the legitimate location
standard service host) and run it.
• A Python archive named “17535.pyz”, containing the Python ransomware source code . The functiona-
The encryption unit is based on the Python libraries pyaes and rsa [T1486] .
File name
SHA-256
Cut
svchost.exe
4770A0447EBC83A36E590DA8D01FF4A418D58221C1F44D21F433AAF18FAD5A99
504.5 KB
17535.pyz
6661B5D6C8692BD64D2922D7CE4641E5DE86D70F5D8D10AB82E831A5D7005ACB
279,590 bytes
The Python code contained in "17535.pyz" notably contains the RSA public key used for encryption,
the ransom note message and a variable to choose the extension of the encrypted files. In part-
In particular, the condensate of the file is likely to vary, as well as its name which seems to be chosen at random.
Several elements make it possible to associate these malicious codes with the Pysa family , starting with the extension
".Pysa" encrypted files they produce but also their ransom note messages.
2.1.2 Ransom note messages
The two malicious codes described above create a ransom note file, in the form of a window.
pop-up in the first case and a file named "RECOVER_YOUR_DATA.txt" in the second case.
Page 3 of 7
TLP: WHITE
TLP: WHITE
________________


Page 4
	Mespinoza / Pysa ransomware attacks
These ransom demands are written in rough English. Although different, they contain
Identical strings like "To get all your data back contact us:". One of the two offers
also to the victim the free decryption of two files, in good faith. These two characteristics
were also present in earlier versions of the Pysa ransomware .
Finally, the ransom note messages contain two PROTONMAIL email addresses which appear to be
based on proper names chosen at random.
Note that the two ransom note messages contain the same addresses. In addition, addresses
Similar email messages have been used in earlier versions of Pysa .
2.1.3 A third version?
On one of the compromised information systems, encrypted files with the extension ".newversion" were
discovered. The code responsible for creating these files has not yet been identified.
However, a ransom note message named "Readme.READ" is present and contains the same addresses
PROTONMAIL email address than previously. It is therefore likely that all these attacks were the work of the same
operating mode.
Since the source code python of Pysa contains a variable to choose the extension encrypted files,
it is also possible that the ".newversion" files were generated by another instance of Pysa .
2.2 Tactics, Techniques and Procedures
Several traces of activity linked to the operating mode were observed on the compromised information system.
2.2.1 Vector of infection, recognition and lateralization
The initial vector of infection is unknown to date, but several events that occurred shortly before the attack
could be linked to the operating mode and have allowed initial access or lateralization.
• Brute force connection attempts on a supervision console have been observed, as well as on
multiple ACTIVE DIRECTORY accounts [T1110]. In addition, some domain administrator accounts
have actually been compromised.
• The exfiltration of a password database took place shortly before the attack [T1081] .
• Illegitimate RDP connections have occurred between domain controllers using an unknown host name
potentially related to the operating mode [T1076].
The ".bat" scripts used by the operating mode reveal an important use of the administration tool to
distance PsExec [T1035], as well as the POWERSHELL scripting language [T1086] .
2.3 Stealth and retention on the information system
One of the above-mentioned ".bat" scripts is responsible for executing on the network machines a POWER- script.
SHELL baptized "p.ps1". This script has several features, including:
• Stopping antivirus services and various other services and processes, as well as uninstalling WINDOWS
DEFENDER [T1089].
• The deletion of restore points and Shadow Copy [T1490] .
• Modification of README files to facilitate opening by double-clicking.
Page 4 of 7
TLP: WHITE
TLP: WHITE
________________


Page 5
	Mespinoza / Pysa ransomware attacks
• Sending a UDP datagram containing the MAC address of the machine on port 7.
It seems that this script allows both to improve the stealth of the operating mode and to prepare the execution of the
Ransomware. The last feature suggests that an operating program could be listening on
port 7. However, no such program has been discovered yet.
The operating mode also seems to have used its own binary corresponding to powershell.exe , renamed
"EnNoB-1229.exe". This file name may be generated randomly.
2.4 Possible use of Empire
Several agents of the Empire post-exploitation tool have been discovered on system controllers
compromised information topics. Although no technical link has been established with the use of ransomware
Pysa , it is likely that these malicious codes were used by the same procedure.
2.5 Comments
The operating mode observed in this attack seems compatible with an opportunistic actor motivated by a goal
lucrative.
The techniques, tactics and procedures used are conventional and have not so far shown any techniques for
particularly advanced hobs. The operating mode performed some actions to avoid detection
by security solutions, in particular by deactivating some of them. However, these actions are aimed more
tage to allow the execution of ransomware than to erase traces, evidenced by the presence of the Python code of
ransomware on one of the machines.
The Pysa ransomware is based on public Python libraries and its specific code is very short. However
However, no flaw was found in the implementation of the encryption and the algorithms used are in the state of
art. The operating mode also used post-exploitation tools available in open source. These elements
These are consistent with the profile of an opportunistic player using resources suited to their objective.
3 Recommendations
The compromise indicators exposed in the previous section can be blocked and searched for on a
information system to prevent or detect a similar attack.
More generally, in the context of a ransomware attack and in order to prevent complete compromise
of the information system, the following conventional health and safety measures apply and may be
run in parallel:
• M1. Back up critical data : business databases, network file sharing,
Exchange databases ( note : the online only backupless redundancy architecture is not
not enough against ransomware that stops Exchange-related services and encrypts all their databases
at the same time), Active Directory forests, etc. These backups must be periodically exported to a
support inaccessible from the network and their restoration must be tested periodically to ensure
that they can be used in an emergency. This measure is the only guarantee of data protection facing
to ransomware that encrypts data online by network propagation.
• M2. Conduct update campaigns, starting with remotely exploitable vulnerabilities
(RCE). If a software inventory of the fleet is not available, give priority to generic updates of
operating systems: MS08-067, MS14-068, MS17-010 (“EternalBlue” used by the Wanna- ransomware
Cry), CVE-2019-0708 (“BlueKeep”), etc. Domain controllers and other critical servers must be
updated as soon as security updates are released with cumulative security fixes ( Monthly
Rollup );
Page 5 of 7
TLP: WHITE
TLP: WHITE
________________


Page 6
	Mespinoza / Pysa ransomware attacks
• M3. Restrict, by network filtering, access to certain most critical network ports on workstations
work (in particular 135, 139, 445, 3389, 5585 etc.) only in clearly identified administrative positions, by
example using Windows' built-in firewall. Workstations must not exhibit any services
application and must not have reason to communicate with each other. The same principle applies for the
surface exposed by application servers and between a majority of servers. Network flows should only be
open only on a “white list” principle documenting the business need to which each opening responds
flow. If such an inventory does not already exist, it can be started now by listening
passive network (solutions providing NetFlow logs or equivalent, or simple firewall rule in
”audit” mode);
• M4. Migrate to secure remote assistance and administration means protecting the authen-
administrator's credentials vis-à-vis the system to be administered (which VNC does not guarantee by default). Through
for example, Microsoft Remote Assistance is integrated into Windows for interactive user assistance. For
remote administration needs:
- If an interactive session is not necessary, favor the use of Microsoft Mana-
Management Consoles (MMC) integrated into Windows or installable by PowerShell command 1 .
- If an interactive session is necessary, use a local administrator account of the machine. One
local administrator account should be activated at all times on each machine, and this account should
have different credentials for each machine (otherwise, compromising a machine
allows their replay on all the others). For example, the LAPS solution (Local Administrator Password
Solution 2 ) published by Microsoft enables these objectives to be fulfilled, provided that the
access rights to the local administrator password while respecting the principle of least privilege.
• M5. Use dedicated and nominative Active Directory (AD) administrator accounts to guarantee their
traceability;
• M6. Minimize service accounts and user accounts that are members of groups as much as possible
Active Directory administration (”Administrators”, ”Domain admins”, ”Administrators of the
treprise ”,” Schema administrators ”,” DNS Admins ”,” Account operators ”,” Server operators ”,
"Backup operators", and "Print operators"). If an access right is necessary, carry out a
delegation by access control list and never by addition in one of the privileged groups. Once every
delegations made, AD administrator accounts should only be required in exceptional cases
tional (see the third-party administration model 3 );
• M7. Assign to the integrated administrator account (RID 500) a complex password, stored under envelope
loppe papier, and used only in emergency or last resort ;
• M8. Use Active Directory administration accounts only from dedicated workstations without
office use (navigation, messaging, etc.) and without Internet access. These posts must have a screen
local light blocking all incoming traffic, without exception, and being the only systems from which the
administration accounts;
• M9. Ensure an archiving of park event logs (Windows EventLogs, equipment syslogs
network and Unix, etc.) in a well of newspapers ensuring a retention of at least several months, access
sible only by administrators in need. These journals will be necessary for me-
Take full note of any incident response and remediation actions in the event of compromise.
Given their volume, it may be useful to separate the authentication logs from the controllers
logs from other fleet systems.
1 Get-WindowsCapability -Name '* RSAT *' -Online | Add-WindowsCapability -Online
2 https://support.microsoft.com/en-us/help/3062591/microsoft-security-advisory-local-administrator-password-solution-laps
3 https://docs.microsoft.com/fr-fr/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material
Page 6 of 7
TLP: WHITE
TLP: WHITE
________________


Page 7
	-
Open license (Étalab - v2.0)
NATIONAL AGENCY FOR THE SECURITY OF INFORMATION SYSTEMS
ANSSI - 51 boulevard de la Tour-Maubourg, 75700 PARIS 07 SP
www.cert.ssi.gouv.fr / cert-fr.cossi@ssi.gouv.fr