Security Market Segment LS
Friday, 29 May 2020 07:57

Mespinoza ransomware appears to have hit MyBudget Featured

By
Mespinoza ransomware appears to have hit MyBudget Pixabay

The ransomware that hit Australian money management firm MyBudget appears to be Mespinoza/Pysa, with the people behind the incident warning that documents from the company would soon be put up on its website, security sources have told iTWire.

The company confirmed this afternoon that it had been hit by Mespinoza. The fact that no documents have yet been put up could mean that negotiations are still going with the company about payment of the ransom. Else, it could be any one of a number of reasons.

MyBudget has made no statement on its website since the last update to the 13-day outage it suffered on Friday last week.

The Computer Emergenecy Response Team in France issued a warning about Mespinoza in March, saying the malware appended the extension .locked to files on a Windows system after an attack and decryption.

In an April advisory, the agency said a new version of Mespinoza had appeared in December last year, after the malware was first spotted in October 2018. The new version uses the .pysa extension for encrypted files.

"The executable version of the ransomware drops and executes a script named « update.bat » whose purpose is to delete it after execution," the French advisory reads.

"Several system artefacts are generated by the ransomware. First, the malicious code creates a Mutex named « Pysa ». Then, it modifies the registry key SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System [T1112] to add the following entries: legalnoticetext = [Ransom demand message] and legalnoticecaption = PYSA. »

"Finally, the encryption routine contains a list of targeted file extensions for encryption, as well as a list of strings identifying the critical files that should be spared (for instance, ':\Windows\'). The files created by the encryption routine carry the .pysa extension."

The advisory said the French researchers had noticed a third variant of Mespinoza that used the .newversion extension for encrypted files.

iTWire has contacted MyBudget using a Web form on the company's website. Apart from that means of contact, there is only a 1300 number provided.

A MyBuget spokesperson responded this afternoon: "As previously reported, MyBudget was recently the target of ransomware by an unknown third party.

"We can confirm that we believe the group responsible is the same group behind other Pysa/Mespinoza malware incidents.

"The investigations are ongoing, and at present, there is no credible evidence that significant data was accessed or will be misused.

"We continue to focus on what matters, our clients and employees, and are meaningfully and accurately communicating to them as appropriate."

Contacted for comment, ransomware researcher Brett Callow, who works for New Zealand-headquartered Emsisoft, said: "So many ransomware groups now steal data that incidents should be treated as breaches from the get-go and clients and business partners notified accordingly.

"This is important to ensure that the people whose data may have been exposed do not themselves become victims of crime.

"It can take several weeks for a company to work out what happened during an incident and whether data was taken, but it takes much less time or a criminal to use stolen information to open a credit card in somebody else's name.

"If people know what's happened, they take action to prevent this from happening."


BACK TO HOME PAGE

NEW OFFER - ITWIRE LAUNCHES PROMOTIONAL NEWS & CONTENT

Recently iTWire remodelled and relaunched how we approach "Sponsored Content" and this is now referred to as "Promotional News and Content”.

This repositioning of our promotional stories has come about due to customer focus groups and their feedback from PR firms, bloggers and advertising firms.

Your Promotional story will be prominently displayed on the Home Page.

We will also provide you with a second post that will be displayed on every page on the right hand side for at least 6 weeks and also it will appear for 4 weeks in the newsletter every day that goes to 75,000 readers twice daily.

POST YOUR NEWS ON ITWIRE NOW!

INVITE DENODO EXECUTIVE VIRTUAL ROUNDTABLE 9/7/20 1:30 PM AEST

CLOUD ADOPTION AND CHALLENGES

Denodo, the leader in data virtualisation, has announced a debate-style three-part Experts Roundtable Series, with the first event to be hosted in the APAC region.

The round table will feature high-level executives and thought leaders from some of the region’s most influential organisations.

They will debate the latest trends in cloud adoption and technologies altering the data management industry.

The debate will centre on the recently-published Denodo 2020 Global Cloud Survey.

To discover more and register for the event, please click the button below.

REGISTER HERE!

BACK TO HOME PAGE
Sam Varghese

website statistics

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.

BACK TO HOME PAGE

Webinars & Events

VENDOR NEWS

REVIEWS

Comments