Ransomware actors have found a cunning way to bypass your endpoint protection

Ransomware
(Image credit: Shutterstock)

Cybersecurity researchers have uncovered a new ransomware group, which after failing to directly encrypt their victim’s files, copied them into a password-protected archive, before encrypting the password, and deleting the original files.

Sharing insights into the threat actor, which identifies itself as “Memento Team,” Sean Gallagher from the Sophos MTR’s Rapid Response Team writes that the operators use a renamed freeware version of the legitimate file compression utility WinRAR

“This was a retooling by the ransomware actors, who initially attempted to encrypt files directly—but were stopped by endpoint protection. After failing on the first attempt, they changed tactics, and re-deployed,” notes Gallagher.

TechRadar needs you!

We're looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won't take more than 60 seconds of your time, and we'd hugely appreciate if you'd share your experiences with us.

>> Click here to start the survey in a new window <<

After encrypting the files, the gang demanded $1 million to restore the files, and as is common among ransomware operators, threatened to expose the victim’s data if they refused to pay the ransom.

Off the beaten track

The researchers believe the threat actors first broke into their victim’s network by exploiting a flaw in the VMware’s vCenter Server web client, sometime between April and May.

They then waited till October to deploy their ransomware. Interestingly, Sophos notes that while the Memento Team were pondering about their next move, at least two different intruders exploited the same vCenter vulnerability to drop cryptominers into the compromised server.

As for the Memento Team’s ransomware itself, Gallagher notes that it was written in Python 3.9 and compiled with PyInstaller. While they were unable to decompile it completely, the researchers were able to decode enough of the code to understand how it worked. 

Furthermore, the attackers also deployed an open source Python-based keylogger on several machines, as they moved laterally within the network with the help of Remote Desktop Protocol (RDP).

Sophos adds that the attackers’ ransom note takes inspiration from the one used by REvil, and asks the victims to get in touch via the Telegram messenger. All of it came to naught as the victim refused to engage with the threat actors and recovered most of their data thanks to backups

However, Sophos adds that the attack once again highlights the fact that threat actors are always looking to exploit any laxity shown by admins to patch their servers. 

“At the time of the initial compromise, the vCenter vulnerability had been public for nearly two months, and it remained exploitable up to the day the server was encrypted by the ransomware attackers,” notes Sophos, in its effort to impress upon the importance of applying security patches without delay.

Ensure your systems remain secure and updated using one of these best patch management tools

Mayank Sharma

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’s TechRadar Pro’s expert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.