Ransomware actors have found a cunning new way

Ransomware actors have found a cunning way to bypass your endpoint protection


Cybersecurity researchers have uncovered a new ransomware group, which after failing to directly encrypt their victim’s files, copied them into a password-protected archive, before encrypting the password, and deleting the original files.

Sharing insights into the threat actor, which identifies itself as “Memento Team,” Sean Gallagher from the Sophos MTR’s Rapid Response Team writes that the operators use a renamed freeware version of the legitimate file compression utility WinRAR

“This was a retooling by the ransomware actors, who initially attempted to encrypt files directly—but were stopped by endpoint protection. After failing on the first attempt, they changed tactics, and re-deployed,” notes Gallagher.
After encrypting the files, the gang demanded $1 million to restore the files, and as is common among ransomware operators, threatened to expose the victim’s data if they refused to pay the ransom.

Off the beaten track

The researchers believe the threat actors first broke into their victim’s network by exploiting a flaw in the VMware’s vCenter Server web client, sometime between April and May.

They then waited till October to deploy their ransomware. Interestingly, Sophos notes that while the Memento Team were pondering about their next move, at least two different intruders exploited the same vCenter vulnerability to drop cryptominers into the compromised server.

As for the Memento Team’s ransomware itself, Gallagher notes that it was written in Python 3.9 and compiled with PyInstaller. While they were unable to decompile it completely, the researchers were able to decode enough of the code to understand how it worked. 

Furthermore, the attackers also deployed an open source Python-based keylogger on several machines, as they moved laterally within the network with the help of Remote Desktop Protocol (RDP).

Sophos adds that the attackers’ ransom note takes inspiration from the one used by REvil, and asks the victims to get in touch via the Telegram messenger. All of it came to naught as the victim refused to engage with the threat actors and recovered most of their data thanks to backups

However, Sophos adds that the attack once again highlights the fact that threat actors are always looking to exploit any laxity shown by admins to patch their servers. 

“At the time of the initial compromise, the vCenter vulnerability had been public for nearly two months, and it remained exploitable up to the day the server was encrypted by the ransomware attackers,” notes Sophos, in its effort to impress upon the importance of applying security patches without delay.

Source (Mayank Sharma – 20 November 2021 – Microsoft)