Cybersecurity researchers have discovered a new ransomware crew that locks files in a password-protected archive if they fail to encrypt the target’s data.
The group, which self identifies as the Memento Team, breached a victim’s network in mid-April, 2021 by exploiting a vulnerability in VMware’s vCenter Server web client, a cloud computing virtualization platform, Sophos said in a new report. The security provider believes that the cyber hijackers began their operation in early May, 2021 with lateral movement and reconnaissance.
The attacker, which first deployed the ransomware on Oct. 23, 2021, tried to directly encrypt files but was stopped by endpoint protection. The group then morphed its attack tactics, subsequently pigeonholing unencrypted files into password-protected archives before encrypting the password and deleting the original files. To compress files and exfiltrate them via Remote Desktop Protocol (RDP), the hackers used a renamed freeware version of the legitimate file compression utility WinRAR.
The hackers ultimately demanded $1 million in bitcoin to restore the files, said Sean Gallagher, a senior threat researcher at Sophos. “Attackers seize opportunities when they find them or make mistakes, and then change tactics ‘on-the-fly,’ he said. “If they can make it into a target’s network, they won’t want to leave empty handed.”
Fortunately, in this case the attacked organization recovered its data without acquiescing to the ransom demand. Sophos didn't say how the victim reconstructed its data. Interestingly enough, while the Memento Team were scheming their next move, two different intruders exploited the same vulnerable access point to drop cryptominers into the compromised server, Sophos said. “We’ve seen this repeatedly – when internet-facing vulnerabilities become public and go unpatched, multiple attackers will quickly exploit them,” Gallagher said. “Cybercriminals are continuously scanning the internet for vulnerable online entry points, and they don’t wait in line when they find one.
Indeed, when multiple cyber attackers exploit a single un-patched server, not only does it serve as a stark reminder for organizations to quickly apply patches but also to check on the software security of their third-party suppliers, including MSSPs and MSPs, integrators and contract developers, Gallagher said.
Sophos recommended the following best strategic and tactical best practices to help defend against ransomware and other cyber attacks:
Strategic.
Tactical.