Sophos researchers discovered the Memento ransomware in October, which uses an unusual method to prevent victims from accessing their files. The ransomware uses a renamed freeware version of the legitimate file utility WinRAR to copy files into password-protected WinRAR archives. The Memento ransomware then encrypts the password and deletes the victim’s original files.
The “Memento” attack also had some unexpected twists. The ransomware is a Python 3.9 script that was compiled with PyInstaller. In a ransom note that largely mimics REvil’s format (including the “[-] What’s Happen [-]” introduction), the ransomware’s authors instructed victims to contact them through a Telegram account. As they moved laterally within the network using Remote Desktop Protocol, the attackers also installed an open-source Python-based keylogger on several machines.
Among the files then extracted from the RAR archive were:
• pl.exe—a copy of the Plink SSH tunneling tool, allowing them to gain an interactive console connection with the compromised server.
• nm.exe—NMAP, the network scanning tool.
• Npcap-0.93.exe—the installer for the NPCAP network packet capture library and its associated kernel driver.
• mimikatz.exe—Mimikatz, the credential stealing tool.
The group attempted to encrypt files directly at first, but was stopped by defence solutions. Then it employing the aforementioned procedure and demanding $1 million to restore the files. The gang also allows single file recovery for 0.099 BTC (5036,21 EURO).
The gang was observed gaining initial access to target networks by exploiting the CVE-2021-21972 vulnerability in VMware vCenter Server. vCenter Server is VMware’s centralised management utility, and it is used to manage virtual machines, multiple ESXi hosts, and all dependent components from a single location.
According to Published Advisory “A remote code execution vulnerability in a vCenter Server plugin exists in the vSphere Client (HTML5). VMware has determined that the severity of this issue is Critical, with a maximum CVSSv3 base score of 9.8. A malicious actor with network access to port 443 may take advantage of this vulnerability to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server.”
“The ransomware’s behaviour was altered to avoid detection of encryption activity.” Instead of encrypting files, the “crypt” code now places unencrypted files in archive files using a copy of WinRAR, saving each file in its own archive with a.vaultz file extension. Passwords were generated for each archived file. The passwords themselves were then encrypted.”
Finally the Sophos labs researchers concluded that , in the attacks it has investigated victims did not pay the ransom because they used backups to restore the files.