Cybersecurity (opens in new tab) researchers have uncovered a new ransomware (opens in new tab) group, which after failing to directly encrypt (opens in new tab) their victim’s files, copied them into a password-protected archive, before encrypting the password, and deleting the original files.
Sharing insights into the threat actor, which identifies itself as “Memento Team,” Sean Gallagher from the Sophos MTR’s Rapid Response Team writes that the operators use a renamed freeware version of the legitimate file compression (opens in new tab) utility WinRAR (opens in new tab).
“This was a retooling by the ransomware actors, who initially attempted to encrypt files directly—but were stopped by endpoint protection (opens in new tab). After failing on the first attempt, they changed tactics, and re-deployed,” notes (opens in new tab) Gallagher.
After encrypting the files, the gang demanded $1 million to restore the files, and as is common among ransomware operators, threatened to expose the victim’s data if they refused to pay the ransom.
Off the beaten track
The researchers believe the threat actors first broke into their victim’s network by exploiting a flaw in the VMware’s vCenter Server web client (opens in new tab), sometime between April and May.
They then waited till October to deploy their ransomware. Interestingly, Sophos notes that while the Memento Team were pondering about their next move, at least two different intruders exploited the same vCenter vulnerability to drop cryptominers (opens in new tab) into the compromised server.
As for the Memento Team’s ransomware itself, Gallagher notes that it was written in Python (opens in new tab) 3.9 and compiled with PyInstaller (opens in new tab). While they were unable to decompile it completely, the researchers were able to decode enough of the code to understand how it worked.
Furthermore, the attackers also deployed an open source (opens in new tab) Python-based keylogger (opens in new tab) on several machines, as they moved laterally within the network with the help of Remote Desktop (opens in new tab) Protocol (RDP).
Sophos adds that the attackers’ ransom note takes inspiration from the one used by REvil, and asks the victims to get in touch via the Telegram messenger. All of it came to naught as the victim refused to engage with the threat actors and recovered most of their data thanks to backups (opens in new tab).
However, Sophos adds that the attack once again highlights the fact that threat actors are always looking to exploit any laxity shown by admins to patch (opens in new tab) their servers.
“At the time of the initial compromise, the vCenter vulnerability had been public for nearly two months, and it remained exploitable up to the day the server was encrypted by the ransomware attackers,” notes Sophos, in its effort to impress upon the importance of applying security patches without delay.
Ensure your systems remain secure and updated using one of these best patch management tools (opens in new tab)
