HC3 TLP White: Analyst Note: Mespinoza/GoldBurlap/CYBORG SPIDER, January 6, 2022

Executive Summary

Mespinioza (also known as GOLD BURLAP and CYBORG SPIDER) is a cybercriminal group who operates PYSA ransomware, among other cyber weapons, and have been active since 2018. They have a history of targeting many industries, including healthcare, and continue to develop their capabilities and increase their targeting frequency.

Report

Mespinoza (also known as GOLD BURLAP and CYBORG SPIDER) is a financially-motivated cybercriminal group initially observed engaging in cyberattacks in October 2018. They developed and operated their own ransomware variant (PYSA), which after undergoing several updates, began encrypting victim files with the .pysa extension in December 2019. They also regularly use a number of other tools including ADRecon, Advanced Port Scanner, DNSGo RAT, Mimikatz, PEASS and PowerShell Empire. By the end of 2020, Intel471 considered them to be a “rising power” and as of November 2021, they are known to have accumulated at least 190 global victims via ransomware attacks alone. PYSA is cross-platform ransomware and versions are developed in both the C++ and Python languages.

Mespinoza operates a leak site called, “Pysa’s Partners”, which it uses to leverage “name and shame” tactics to apply additional pressure to compel victims to pay ransoms. Mespinoza is not known to operate as ransomware as a service (RaaS). The top five countries targeted by Pysa are the US, UK, Canada, Spain, and Brazil. Figure 1 depicts their total global targeting, with the color corresponding to the number of victims in each country (scale at bottom):

View the detailed report below.