After their encryption method was identified by security tools, a new ransomware gang dubbed Memento adopted the novel approach of locking files within password-protected folders. The gang started active last month when they gained initial access to victims’ networks by exploiting a VMware vCenter Server web client weakness.
The vCenter flaw is identified as CVE-2021-21971. Anyone having remote access to TCP/IP port 443 on an exposed vCenter server can run commands with admin capabilities on the underlying OS. Although a fix for this problem was released in February, many organizations have yet to repair their installations. Since April, Memento has been abusing this vulnerability, and a separate actor was identified exploiting it in May to deploy XMR miners using PowerShell instructions.
Last month, Memento began its ransomware operation by using vCenter to harvest administrator credentials from the target server, create persistence using scheduled activities, and then expand laterally across the network using RDP over SSH. Following the reconnaissance step, the actors used WinRAR to generate and exfiltrate an archive of the stolen files.
Finally, they employed Jetico’s BCWipe data cleaning program to remove any remaining traces before encrypting with AES using a Python-based ransomware strain. However, Memento’s initial efforts at encrypting data were spotted and stopped before any damage was done since the computers lacked anti-ransomware security.
To get around security software’s detection of cheap ransomware, Memento devised a novel strategy: bypass encryption entirely and transfer files into password-protected archives. To do this, the group places files in WinRAR archives, creates a strong password for access security, encrypts the key, and then deletes the original files.
Sophos analyst Sean Gallagher reveals that the “crypt” algorithm now saves each file in its archive with a .vaultz file extension instead of encrypting data. As each file was archived, passwords were generated. After then, the passwords were encrypted. The victim must pay 15.95 BTC ($940,000) for total recovery or 0.099 BTC ($5,850) per file, according to the ransom letter that has been released.
These extortion efforts did not result in a ransom payment in the cases studied by Sophos since victims used their backups to restore the contents. On the other hand, Memento is a new organization that has recently discovered a novel strategy that works. Thus, they’ll most likely test it against other organizations. As a result, if you’re using VMware vCenter Server or/and Cloud Foundation, be sure to upgrade your tools to the most recent version available to avoid exploiting known vulnerabilities.
