A prolific ransomware gang that has mostly gone under the radar amid attacks from better-known groups such as REvil, DarkSide and Ragnar Locker called Mespinoza, the ransomware gang described “whimsical terms” to name its hacking tools. The gang calls its victims “partners” and attacks with tools called “Gasket” and “MagicSocks,” while on its staging server, a file is named “HappyEnd.bat.”

The increasing activity by the ransomware gang, also known as PYSA, has drawn the attention of FBI. Mespinoza targets many industries, with the gang’s leak site providing data it claims to belong to 187 victim organization’s.

The group is described as being extremely disciplined. After accessing a new network, the group studies systems in what the researchers believe is a triage to determine whether there’s enough valuable data to justify launching a full-scale attack. Suggesting that the gang looks for high-impact data, Mespinoza searches for terms including clandestine, fraud, SSN, driver’s license, passport and I-9. 

Recently, Mespinoza deployed ransomware by accessing a system via remote desktop and running a series of batch scripts that use the PsExec tool, a Windows telnet-replacement tool, to copy and execute the ransomware on other systems on the network. 

“Mespinoza attacks, such as those documented in this report, highlight multiple trends currently occurring amongst multiple ransomware threat actors and families that clearly enable their attacks and make them easy and simple to use in their attacks,” the report concluds.