From c566c89f2a55e4d2b5e4c9755b12c103d8978e51 Mon Sep 17 00:00:00 2001
From: Deborah Servili <deborah.servili@gmail.com>
Date: Fri, 27 Mar 2020 14:22:34 +0100
Subject: [PATCH] add pyza ransomware

---
 clusters/ransomware.json | 20 +++++++++++++++++++-
 1 file changed, 19 insertions(+), 1 deletion(-)

diff --git a/clusters/ransomware.json b/clusters/ransomware.json
index c2dcb57..0805fe8 100644
--- a/clusters/ransomware.json
+++ b/clusters/ransomware.json
@@ -13752,7 +13752,25 @@
       ],
       "uuid": "42148074-196b-4f8c-b149-12163fc385fa",
       "value": "Wadhrama"
+    },
+    {
+      "description": "Mespinoza ransomware is used at least since october 2018. First versions used the common extension \".locked\". SInce december 2019 a new version in open sourced and documented, this new version uses the \".pyza\" extension.",
+      "meta": {
+        "extensions": [
+          ".pyza",
+          ".locked"
+        ],
+        "refs": [
+          "https://www.cert.ssi.gouv.fr/cti/CERTFR-2020-CTI-002/",
+          "https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-002.pdf"
+        ],
+        "synonyms": [
+          "Pyza"
+        ]
+      },
+      "uuid": "deed3c10-93b6-41b9-b150-f4dd1b665d87",
+      "value": "Mespinoza"
     }
   ],
-  "version": 83
+  "version": 84
 }