Ransomware prevents its victims from accessing its own files until they comply with the attackers’ demands, which is usually a monetary payment. The traditional method of accomplishing this task is to encrypt files with the promise of providing the victim with the decryption key once the ransom is paid. A new ransomware group called Memento Team is using a new approach to locking files after failing with previous attempts at ransomware. Its latest method involves the use of a customized freeware version of WinRAR and deletion of the original files.
Researchers from Sophos initially detected activity by Memento Team in October 2021 when it targeted VMware’s vCenter Server. The ransomware group used many tools and techniques, each of which had a specific purpose for each stage of the attack. They gained initial access to targeted networks by exploiting a flaw in vCenter Server’s web client.
The Common Vulnerabilities and Exposures (CVE) system is tracking this vulnerability as CVE-2021-21972. This CVE is a remote code execution vulnerability that allows attackers to access vCenter Server by executing remote commands through TCP/IP port 443. Once this phase was complete, the attackers sent a ransom note demanding a payment of 0.099 Bitcoin (BTC), or about $5,850, for each file decrypted. They also offered an alternative payment of 15.95 BTC, or about $940,000 to decrypt all of the files it had encrypted. Fortunately, the targeted organization was able to recover its data without paying a ransom, although Sophos declined to disclose the exact method it used.
Sophos researchers learned that this ransomware was only Memento’s latest attempt to exploit the vCenter vulnerability, which they had been trying to do since April. Their first attempt involved copying files and deleting the original data with a data wiping utility from Jetico called BCWipe. The next step was to use a Python-based ransomware strain to perform Advanced Encryption Standard (AES) encryption on the copied files. However, that attempt failed because the targeted systems were protected with an anti-ransomware solution that detected the ransomware and prevented it from encrypting or otherwise damaging the files.
The attackers performed reconnaissance on the target networks by using Windows Defender Metadata Monitor to execute scheduled tasks. They also used Remote Desktop Protocol (RDP) over Secure Shell (SSH) to laterally propagate the ransomware throughout the networks via Plink, which is a command-line interface (CLI) tool used for non-interactive sessions.
After the reconnaissance phase, attackers archived files with WinRAR, a popular utility for Windows operating systems. They used strong passwords for the archived files and deleted the original files. They also encrypted the passwords to further protect them against brute force methods of cracking the passwords.
Two other ransomware groups also exploited the same vulnerability in vCenter Server, allowing them to infect the compromised server with crypto miners. Sophos analysts report that they often observe this behavior, in which a vulnerability becomes public knowledge and is exploited by multiple groups before being patched. Cybercriminals are always searching the internet for new system vulnerabilities and don’t hesitate when they find one. Multiple attacks against an unpatched server illustrate the need for an organization to continuously check the security of its software, including that of managed service providers and contractors.
Memento is using new methods to conduct ransomware attacks, which have been able to avoid detection by existing anti-ransomware solutions. However, some victims have been able to mitigate the damage caused by these latest attacks by restoring the deleted data from backups. This solution illustrates the value of performing regular backups in defeating ransomware attacks.