An alert has been issued against ongoing Mespinoza ransomware attacks on healthcare systems by the HHS. Pysa is now a well-known new variant of the Mespinoza ransomware family.

U.S. healthcare on target

The HHS has previously claimed that Pysa was among the top ten ransomware threats for healthcare. 
  • The U.S. is one of the most targeted regions, with attacks observed across utilities, education, and business services sectors. However, the attackers have mostly targeted the public health and healthcare sectors in the last two years. 
  • The group is financially motivated and uses multiple tools such as Advanced Port Scanner, ADRecon, Mimikatz, PEASS, PowerShell Empire, and DNSGo RAT.
  • According to the findings, Mespinoza manages Pysa Partners’ data leak site that focuses on data extortion for ransom demands. 

Notable attacks on the sector

As of November 2021, Pysa had already targeted 190 victims, of which six were from the healthcare sector. 
  • The threat actor launched some of the largest attacks against healthcare targets, such as Piedmont Orthopedics/OrthoAtlanta, Assured Imaging, and Nonin Medical, during the pandemic.
  • One of the recent Pysa leaks included multiple zip files claiming to be stolen from Woodholme Gastroenterology Associates, Spartanburg & Pelham OB-GYN, and One Community Health.


Three weeks back, a research report revealed a rapid rise in the double extortion tactics by the group. Besides healthcare, it has been eyeing the education sector. These sector must understand the importance of defense-in-depth strategy, vulnerability management programs, and the least-privilege principle for better protection of the network.

Cyware Publisher