Share this article on:
Sophos has released details of a new Python ransomware called Memento.
The research, titled New Ransomware Actor Uses Password Protected Archives to Bypass Encryption Protection, describes the attack, which locks files in a password-protected archive if the Memento ransomware can’t encrypt the targeted data.
Human-led ransomware attacks in the real world are rarely clear cut and linear, according to Sean Gallagher, senior threat researcher at Sophos.
“Attackers seize opportunities when they find them or make mistakes, and then change tactics ‘on-the-fly'."
"If they can make it into a target’s network, they won’t want to leave empty-handed."
"The Memento attack is a good example of this, and it serves as a critical reminder to use defence-in-depth security," Gallagher said.
Attack timeline
Sophos researchers believe the Memento operators breached the target’s network in mid-April 2021.
The attackers exploited a flaw in VMware’s vSphere, an internet facing cloud computing virtualisation tool, to gain a foothold on a server, and the forensic evidence Sophos researchers found indicates the attackers started the main intrusion in early May 2021.
The attackers used the early months for lateral movement and reconnaissance, using the Remote Desktop Protocol (RDP), NMAP network scanner, advanced port scanner and Plink Secure Shell (SSH) tunneling tool to set up an interactive connection with the breached server. The attackers also used Mimikatz to harvest account credentials to use in later stages of the attack.
According to Sophos researchers, on 20 October 2021, the attackers used the legitimate tool WinRAR to compress a collection of files and exfiltrate them via RDP.
Release of the ransomware
The attacker first deployed the ransomware on 23 October 2021 and Sophos researchers found that the attackers initially tried to directly encrypt files, but security measures blocked this attempt.
The attackers then changed tactics, retooled and redeployed the ransomware. They copied unencrypted files into password-protected archives using a renamed free version of WinRAR, before encrypting the password and deleting the original files.
The attackers demanded a ransom of $1 million in bitcoin in order to restore the files. Fortunately, the target was able to recover data without the involvement of the attackers.
Open entry points let in additional attackers
While the Memento attackers were in the target’s network, two different attackers broke in via the same vulnerable access point, using similar exploits.
These attackers each dropped cryptocurrency miners onto the same compromised server. One of them installed an XMR crypto miner on 18 May while the other installed an XMRig cryptominer on 8 September and again on 3 October.
According to Gallagher, the longer vulnerabilities go unmitigated, the more attackers these attract.
“We’ve seen this repeatedly – when internet-facing vulnerabilities become public and go unpatched, multiple attackers will quickly exploit them," Gallagher said.
Security advice
Sophos researchers believe this incident, where multiple attackers exploited a single unpatched server exposed to the internet, highlights the importance of quickly applying patches and checking with third-party integrators, contract developers or service providers about their software security.
Following general best practices to help defend against ransomware and related cyber attacks is also recommended:
At a strategic level
Deploy layered protection. As more ransomware attacks begin to involve extortion, backups remain necessary, but insufficient. It is more important than ever to keep adversaries out in the first place, or to detect these quickly, before these cause harm.
Use layered protection to block and detect attackers at as many points as possible across an estate.
Combine human experts and anti-ransomware technology. The key to stopping ransomware is defence-in-depth that combines dedicated anti-ransomware technology and human-led threat hunting. Technology provides the scale and automation an organisation needs, while human experts are best able to detect the telltale tactics, techniques and procedures that indicate an attacker is attempting to get into the environment. If organisations don’t have the skills in-house, they can enlist support from cyber security specialists.
At a day-to-day tactical level
Monitor and respond to alerts. Ensure the appropriate tools, processes, and resources (people) are available to monitor, investigate and respond to threats seen in the environment. Ransomware attackers often time their strike during off-peak hours, at weekends or during the holidays, on the assumption that few or no staff are watching.
Detecting ransomware and attempted encryption is vital, but it’s also important to have security technologies that can alert IT managers to other unexpected activity such as lateral movement, according to Gallagher.
"Being breached by multiple attackers compounds disruption and recovery time for victims."
"It also makes it harder for forensic investigations to unpick and resolve who did what, which is important intelligence for threat responders to collect to help organisations prevent additional repeat attacks,” Gallagher said.
“Cyber criminals are continuously scanning the internet for vulnerable online entry points, and they don’t wait in line when they find one."
Nastasha is a Journalist at Momentum Media, she reports extensively across veterans affairs, cyber security and geopolitics in the Indo-Pacific. She is a co-author of a book titled The Stories Women Journalists Tell, published by Penguin Random House. Previously, she was a Content Producer at Verizon Media, a Digital Producer for Yahoo! and Channel 7, a Digital Journalist at Sky News Australia, as well as a Website Manager and Digital Producer at SBS Australia. Nastasha started her career in media as a Video Producer and Digital News Presenter at News Corp Australia.