A brand new pressure of ransomware referred to as Memento reveals the growing technical acumen of many malicious actors, neatly demonstrating their capability to alter up their techniques on the fly ought to their preliminary plans be disrupted.
The Python-coded ransomware was noticed by Sophos incident responders, who engaged with a sufferer earlier this autumn. Memento’s operators gained entry to the goal community as way back as April by exploiting an unpatched vulnerability in VMware vSphere.
They then spent a number of months mendacity low, utilizing distant desktop protocol (RDP), NMAP community scanner, Superior Port Scanner and Plink safe shell (SSH) tunneling to connect with the compromised server. Credentials have been harvested with Mimikatz.
On 20 October 2021, Memento used the WinRAR software to compress and exfiltrate the sufferer’s information by way of RDP, earlier than deploying the ransomware itself on 23 October. To date, so regular.
However at this level, the cyber criminals hit a problem – their try to straight encrypt the sufferer’s recordsdata was blocked by safety instruments. In response, they shifted tack, retooled Memento and redeployed it.
This time, they copied unencrypted recordsdata right into a password-protected archive utilizing a renamed free model of WinRAR, earlier than encrypting the password and deleting the unique recordsdata. They then demanded a $1m bitcoin ransom, though the sufferer had thankfully saved on prime of their safety and was capable of get better with out paying.
Sean Gallagher, senior risk researcher at Sophos, stated the emergence of Memento demonstrates how human-led ransomware assaults are hardly ever clear-cut and linear, however can shortly evolve to account for particular circumstances.
“Attackers seize alternatives after they discover them or make errors, after which change techniques ‘on the fly’,” he stated. “If they will make it right into a goal’s community, they gained’t wish to depart empty-handed. The Memento assault is an effective instance of this, and it serves as a essential reminder to make use of defence-in-depth safety.
“Having the ability to detect ransomware and tried encryption is important, however it is usually necessary to have safety applied sciences that may alert IT managers to different, surprising, exercise, corresponding to lateral motion.”
The incident additionally holds different classes for defenders – once more highlighting the usefulness of the defence-in-depth mindset, and of well timed patching – as a result of concurrently the operators of Memento have been attending to work, two different attackers compromised the vSphere server on a number of events.
The primary attacker put in an XMR cryptominer on 18 Could, and the opposite put in an XMRig cryptominer on 8 Septembet, then once more on 3 October.
“We’ve seen this repeatedly – when internet-facing vulnerabilities develop into public and go unpatched, a number of attackers will shortly exploit them,” stated Gallagher. “The longer vulnerabilities go unmitigated, the extra attackers they appeal to.
“Cyber criminals are constantly scanning the web for weak on-line entry factors, they usually don’t wait in line after they discover one. Being breached by a number of attackers compounds disruption and restoration time for victims. It additionally makes it tougher for forensic investigations to unpick and resolve who did what, which is necessary intelligence for risk responders to gather to assist organisations forestall extra repeat assaults.”