A new strain of ransomware called Memento shows the increasing technical acumen of many malicious actors, neatly demonstrating their ability to change up their tactics on the fly should their initial plans be disrupted.
The Python-coded ransomware was observed by Sophos incident responders, who engaged with a victim earlier this autumn. Memento’s operators gained access to the target network as long ago as April by exploiting an unpatched vulnerability in VMware vSphere.
They then spent several months lying low, using remote desktop protocol (RDP), NMAP network scanner, Advanced Port Scanner and Plink secure shell (SSH) tunneling to connect to the compromised server. Credentials were harvested with Mimikatz.
On 20 October 2021, Memento used the WinRAR tool to compress and exfiltrate the victim’s data via RDP, before deploying the ransomware itself on 23 October. So far, so normal.
But at this point, the cyber criminals hit an issue – their attempt to directly encrypt the victim’s files was blocked by security tools. In response, they shifted tack, retooled Memento and redeployed it.
This time, they copied unencrypted files into a password-protected archive using a renamed free version of WinRAR, before encrypting the password and deleting the original files. They then demanded a $1m bitcoin ransom, although the victim had fortunately kept on top of their security and was able to recover without paying.
Sean Gallagher, senior threat researcher at Sophos, said the emergence of Memento demonstrates how human-led ransomware attacks are rarely clear-cut and linear, but can quickly evolve to account for specific circumstances.
“Attackers seize opportunities when they find them or make mistakes, and then change tactics ‘on the fly’,” he said. “If they can make it into a target’s network, they won’t want to leave empty-handed. The Memento attack is a good example of this, and it serves as a critical reminder to use defence-in-depth security.
“Being able to detect ransomware and attempted encryption is vital, but it is also important to have security technologies that can alert IT managers to other, unexpected, activity, such as lateral movement.”
The incident also holds other lessons for defenders – again highlighting the usefulness of the defence-in-depth mindset, and of timely patching – because at the same time as the operators of Memento were getting to work, two other attackers compromised the vSphere server on multiple occasions.
The first attacker installed an XMR cryptominer on 18 May, and the other installed an XMRig cryptominer on 8 Septembet, then again on 3 October.
“We’ve seen this repeatedly – when internet-facing vulnerabilities become public and go unpatched, multiple attackers will quickly exploit them,” said Gallagher. “The longer vulnerabilities go unmitigated, the more attackers they attract.
“Cyber criminals are continuously scanning the internet for vulnerable online entry points, and they don’t wait in line when they find one. Being breached by multiple attackers compounds disruption and recovery time for victims. It also makes it harder for forensic investigations to unpick and resolve who did what, which is important intelligence for threat responders to collect to help organisations prevent additional repeat attacks.”
