Cybersecurity researchers have discovered a new ransomware crew that locks files in a password-protected archive if they fail to encrypt the target’s data.
The group, which self identifies as the Memento Team, breached a victim’s network in mid-April, 2021 by exploiting a vulnerability in VMware’s vCenter Server web client, a cloud computing virtualization platform, Sophos said in a new report. The security provider believes that the cyber hijackers began their operation in early May, 2021 with lateral movement and reconnaissance.
The attacker, which first deployed the ransomware on Oct. 23, 2021, tried to directly encrypt files but was stopped by endpoint protection. The group then morphed its attack tactics, subsequently pigeonholing unencrypted files into password-protected archives before encrypting the password and deleting the original files. To compress files and exfiltrate them via Remote Desktop Protocol (RDP), the hackers used a renamed freeware version of the legitimate file compression utility WinRAR.
The hackers ultimately demanded $1 million in bitcoin to restore the files, said Sean Gallagher, a senior threat researcher at Sophos. “Attackers seize opportunities when they find them or make mistakes, and then change tactics ‘on-the-fly,’ he said. “If they can make it into a target’s network, they won’t want to leave empty handed.”
Fortunately, in this case the attacked organization recovered its data without acquiescing to the ransom demand. Sophos didn't say how the victim reconstructed its data. Interestingly enough, while the Memento Team were scheming their next move, two different intruders exploited the same vulnerable access point to drop cryptominers into the compromised server, Sophos said. “We’ve seen this repeatedly – when internet-facing vulnerabilities become public and go unpatched, multiple attackers will quickly exploit them,” Gallagher said. “Cybercriminals are continuously scanning the internet for vulnerable online entry points, and they don’t wait in line when they find one.
Indeed, when multiple cyber attackers exploit a single un-patched server, not only does it serve as a stark reminder for organizations to quickly apply patches but also to check on the software security of their third-party suppliers, including MSSPs and MSPs, integrators and contract developers, Gallagher said.
Sophos recommended the following best strategic and tactical best practices to help defend against ransomware and other cyber attacks:
- Deploy layered protection. As more ransomware attacks begin to involve extortion, backups are not enough.
- Combine human experts and anti-ransomware technology. If organizations don’t have the skills in house, they can enlist support from cybersecurity specialists such as MSSPs.
- Monitor and respond to alerts. Ransomware attackers often time their strike during off-peak hours, chancing that few or no staff are watching
- Set and enforce strong passwords. Strong passwords serve as one of the first lines of defense.
- Use multi factor authentication (MFA). Any form of multifactor authentication is better than none.
- Lock down accessible services. If a machine needs to be reachable using a remote management tool, put that tool behind a VPN or zero-trust network access solution that uses MFA.
- Practice segmentation and zero-trust. Separate critical servers from each other and from workstations by putting them into separate VLANs.
- Make offline backups of information and applications. Keep backups up to date, ensure their recoverability and keep a copy offline.
- Inventory assets and accounts. Unknown, unprotected and un-patched devices in the network increase risk and create a situation where malicious activities could pass unnoticed.
- Make sure security products are correctly configured. Ensure security solutions are configured properly and regularly check, validate and update security policies.
- Audit Active Directory (AD). Conduct regular audits on all accounts in AD, ensuring that none have more access than is needed for their purpose.
- Patch everything. Double check that patches have been installed correctly and are in place for critical systems like internet-facing machines or domain controllers.