Memento Ransomware Locked Files in a Password-Protected Archive When it Couldn’t Encrypt the Data and Demands $1 Million in Bitcoin
Sophos, a global leader in next-generation cybersecurity, has released details of a new Python ransomware called Memento. The research, “New Ransomware Actor Uses Password Protected Archives to Bypass Encryption Protection,” describes the attack, which locks files in a password-protected archive if the Memento ransomware can’t encrypt the targeted data.
“Human-led ransomware attacks in the real world are rarely clear cut and linear,” said Sean Gallagher, senior threat researcher at Sophos. “Attackers seize opportunities when they find them or make mistakes, and then change tactics ‘on-the-fly.’ If they can make it into a target’s network, they won’t want to leave empty handed. The Memento attack is a good example of this, and it serves as a critical reminder to use defense-in-depth security. Being able to detect ransomware and attempted encryption is vital, but it’s also important to have security technologies that can alert IT managers to other, unexpected, activity such as lateral movement.”
Sophos researchers believe the Memento operators breached the target’s network in mid-April 2021. The attackers exploited a flaw in VMware’s vSphere, an internet facing cloud computing virtualization tool, to gain a foothold on a server. The forensic evidence Sophos researchers found indicates the attackers started the main intrusion in early May 2021.
The attackers used the early months for lateral movement and reconnaissance, using the Remote Desktop Protocol (RDP), NMAP network scanner, Advanced Port Scanner, and Plink Secure Shell (SSH) tunneling tool to set up an interactive connection with the breached server. The attackers also used mimikatz to harvest account credentials to use in later stages of the attack.
According to Sophos researchers, on Oct. 20, 2021, the attackers used the legitimate tool WinRAR to compress a collection of files and exfiltrate them via RDP.
Release of the Ransomware
The attacker first deployed the ransomware on Oct. 23, 2021. Sophos researchers found that the attackers initially tried to directly encrypt files, but security measures blocked this attempt. The attackers then changed tactics, re-tooled and re-deployed the ransomware. They copied unencrypted files into password-protected archives using a renamed free version of WinRaR, before encrypting the password and deleting the original files.
The attackers demanded a ransom of $1 million in bitcoin in order to restore the files. Fortunately, the target was able to recover data without the involvement of the attackers.
Open Entry Points Let in Additional Attackers
While the Memento attackers were in the target’s network, two different attackers broke in via the same vulnerable access point, using similar exploits. These attackers each dropped cryptocurrency miners onto the same compromised server. One of them installed an XMR cryptominer on May 18, while the other installed an XMRig cryptominer on Sept. 8 and again on Oct. 3.
“We’ve seen this repeatedly – when internet-facing vulnerabilities become public and go unpatched, multiple attackers will quickly exploit them. The longer vulnerabilities go unmitigated, the more attackers they attract,” said Gallagher. “Cybercriminals are continuously scanning the internet for vulnerable online entry points, and they don’t wait in line when they find one. Being breached by multiple attackers compounds disruption and recovery time for victims. It also makes it harder for forensic investigations to unpick and resolve who did what, which is important intelligence for threat responders to collect to help organizations prevent additional repeat attacks.”
Sophos believes this incident, where multiple attackers exploited a single unpatched server exposed to the internet, highlights the importance of quickly applying patches and checking with third-party integrators, contract developers or service providers about their software security.
Sophos also recommends the following general best practices to help defend against ransomware and related cyberattacks:
At a Strategic Level
- Deploy layered protection. As more ransomware attacks begin to involve extortion, backups remain necessary, but insufficient. It is more important than ever to keep adversaries out in the first place, or to detect them quickly, before they cause harm. Use layered protection to block and detect attackers at as many points as possible across an estate
- Combine human experts and anti-ransomware technology. The key to stopping ransomware is defense-in-depth that combines dedicated anti-ransomware technology and human-led threat hunting. Technology provides the scale and automation an organization needs, while human experts are best able to detect the tell-tale tactics, techniques and procedures that indicate an attacker is attempting to get into the environment. If organizations don’t have the skills in house, they can enlist support from cybersecurity specialists
At a Day-to-Day Tactical Level
- Monitor and respond to alerts. Ensure the appropriate tools, processes, and resources (people) are available to monitor, investigate and respond to threats seen in the environment. Ransomware attackers often time their strike during off-peak hours, at weekends or during the holidays, on the assumption that few or no staff are watching
- Set and enforce strong passwords. Strong passwords serve as one of the first lines of defense. Passwords should be unique or complex and never re-used. This is easier to accomplish with a password manager that can store staff credentials
- Use Multi Factor Authentication (MFA). Even strong passwords can be compromised. Any form of multifactor authentication is better than none for securing access to critical resources such as e-mail, remote management tools and network assets
- Lock down accessible services. Perform network scans from the outside and identify and lock down the ports commonly used by VNC, RDP, or other remote access tools. If a machine needs to be reachable using a remote management tool, put that tool behind a VPN or zero-trust network access solution that uses MFA as part of its login
- Practice segmentation and zero-trust. Separate critical servers from each other and from workstations by putting them into separate VLANs as you work towards a zero-trust network model
- Make offline backups of information and applications. Keep backups up to date, ensure their recoverability and keep a copy offline
- Inventory your assets and accounts. Unknown, unprotected and unpatched devices in the network increase risk and create a situation where malicious activities could pass unnoticed. It is vital to have a current inventory of all connected compute instances. Use network scans, IaaS tools, and physical checks to locate and catalog them, and install endpoint protection software on any machines that lack protection
- Make sure security products are correctly configured. Under-protected systems and devices are vulnerable too. It is important that you ensure security solutions are configured properly and to check and, where necessary, validate and update security policies regularly. New security features are not always enabled automatically. Don’t disable tamper protection or create broad detection exclusions as doing so will make an attacker’s job easier
- Audit Active Directory (AD). Conduct regular audits on all accounts in AD, ensuring that none have more access than is needed for their purpose. Disable accounts for departing employees as soon as they leave the company
- Patch everything. Keep Windows and other operating systems and software up to date. This also means double checking that patches have been installed correctly and are in place for critical systems like internet-facing machines or domain controllers
Sophos endpoint products, such as Intercept X, protect users by detecting the actions and behaviors of ransomware and other attacks. The act of attempting to encrypt files is blocked by the CryptoGuard feature. Integrated endpoint detection and response, including Sophos Extended Detection and Response (XDR), can help capture nefarious activities, such as when attackers create password-protected archives like those used in the Memento ransomware attack.
To learn more, please read the Memento ransomware article on SophosLabs Uncut.