A ransomware group takes pains to make sure the juice is worth the squeeze, searching for their most sensitive files and data to up the chances that a victim pays up.

Palo Alto Networks’ Unit 42 research team said the group, called Mespinoza, is disciplined but “cocky,” likes to use cheeky or clever names for its malware and utilizes two tools that are designed to create backdoors and persist within a victim network.

Like many ransomware groups these days, Mespinoza both encrypts and exfiltrates victim data, a technique known as double extortion. and they also use automated scripts to search victim systems for keywords like “passport,” “I-9,” “ssn” and others that indicate they’re looking to immediately identify a company’s most sensitive files to compromise. Such tactics have been noted by other threat intelligence firms in the past as a sign of the increased efficiency and professionalization of ransomware operations.

Jen Miller-Osborne, deputy director of threat intelligence at Palo Alto’s Unit 42 research team, told SC Media in an interview that the group displays an interesting mix of professional operations and “arrogant” personality traits, leaving ransom notes with mocking suggestions for how a victim should break news of their infection to their bosses and using “tongue-in-cheek” names for tools.

“You don’t see that kind of tone with many other groups, especially when they’re clearly organized and doing this as a business model, because they have a very organized ticketing system for them,” said Miller-Osborne. “It’s an interesting mix of that business mentality and making money with a juvenile sort of humor and approach.”

They have hit at least 187 organizations over the last year, with the majority of victims (55%) located in the United States. An analysis indicates that education was the most targeted vertical, with over 30 organizations in the sector showing up on the group’s leak site, followed by manufacturing, retail and medical, all of which saw between 15-20 organizations hit. In March, the FBI released an advisory about the ransomware (which is also called “Pysa”) saying they have observed “a recent increase in PYSA ransomware targeting education institutions in 12 U.S. states and the United Kingdom, and that they have specifically targeted K-12 schools, higher education institutions and seminaries.

While tracking companies on leak sites can provide useful insight, those figures presumably wouldn’t include many organizations who decided to quietly pay the ransom and thus didn’t require a public threat to post their data online. Miller-Osborne said incident responses and public reporting indicates that the group’s highest ransom demand was $1.6 million, while the highest recorded payment was around $440,000.

The group often uses Remote Desktop Protocol to gain initial access and uses two different pieces of malware -- which they call Gasket and MagicSocks -- to maintain persistence within a victim network.

Gasket, written in Go programming language, is used to create a backdoor before deploying the ransomware payload and uses another open source tool called Gobfuscate to evade detection. Unit 42 thinks this is done to create a fallback option in the event the actors lose their initial RDP access at any time.

In the code for Gasket is a reference to another tool, MagicSocks, which uses the open-source Chisel and lets the actor reroute traffic from a inside a victim’s network to an external Chisel server.

“We’re not entirely clear on necessarily why [Mespinoza are doing this], it could be potentially that maybe they want to come back and hit [the same organization] again, if…they aren’t able to clean up this system enough or in time,” said Miller-Osborne. “We have definitely seen that with some other ransomware groups where they will go back after the same targets that they’ve compromised in the past.”