Memento ransomware affects even without encryption

Discovered and analyzed by Sophos researchers, this threat proceeds with an alternative technique when it is impossible to encrypt the attacked files. Published on November 19, 2021 by Redazione Typically, ransomware uses encryption to take data, applications, and systems hostage, but someone does it differently, with alternative techniques. Memento, a ransomware that emerged last spring, discovered and analyzed by Sophos researchers, knows how to modify the attack procedure if necessary: in case it fails to encrypt the target data, it proceeds to move them within a password-protected archive . For the victims the result will be the same, that is to say that they will no longer be able to access the data, with the consequent consequences in terms of the functioning of applications and services.

Sophos has reconstructed, in particular, a sophisticated attack that occurred in stages and over the course of months. Cybercriminals managed to enter the target company in April by exploiting a vulnerability in vSphere, VMware's software for virtualizing cloud environments. From here, the criminals obtained access to a server and from May onwards they remained hidden in the network for reconnaissance purposes, exploring it with lateral movement, and to do this they used the Remote Desktop Protocol (Rdp), the scanner of Network Nmp, the Advanced Port Scanner and the Secure Shell (Ssh) Plink Tunneling Tool to create an interactive connection with the hacked server. They also used Mimikatz, credential-gathering software, to prepare for the next step of account breach.

On October 20, the cybercriminals took action, using WinRAR to compress a series of files and then exfiltrating them via the Remote Desktop Protocol. The final blow was struck three days later: initially the attackers tried to encrypt the files but, failing due to the security measures adopted by the company, they changed their tactics. They then modified and reinstalled Memento, and then copied the unencrypted files into password-protected archives. Finally, they encrypted that password and deleted the original files. The last step was the extortion attempt: a $ 1 million ransom in Bitcoin was demanded.

Fortunately, the affected company was able to recover the data without having to give in to blackmail. The credit goes to the backup systems, from which it was possible to restore most of the data and restore operations to normal. In addition, through the systems protected by Sophos's InterceptX endpoint detection and response solution, it was also possible to recover the (unencrypted) passwords used by attackers for the encrypted archive. Experts from the SophosLabs and Sophos Rapid Response teams provided the company with a method to recover files that were not backed up.

The problem of unsolved vulnerabilities A more technical description of this multi-stage attack is available on the Sophos website. However, there is another interesting fact to point out: while the authors of Memento were inside the affected network, other cybercriminals entered through the same vulnerability of vSphere using similar exploits. In two different attacks carried out by different people, on May 18 and October 3, two crypto mining programs were installed on the same server already hacked by the authors of Memento.

"We see it all the time: when vulnerabilities accessible from the Internet go public and are not neutralized with the appropriate patches, numerous attackers rush to take advantage of them," said Sean Gallagher, senior threat researcher at Sophos. “The longer you wait to mitigate them, the more attackers will be drawn to them. Cybercriminals are constantly scanning the internet for vulnerable entry points, and they certainly don't queue to wait when they find one. Being hacked by multiple attackers only multiplies the damage and recovery times for victims, and also makes it more difficult for investigators to clarify who did what - important information for those facing threats to help companies to avoid further attacks of the same kind ".



At first glance it would appear that our RAMSES software, which identifies encrypted sites, could be outdated. But Memento encrypted with AES256 algorithm. therefore, as described in other articles, the arrival of quantum computers reveals all encrypted systems with simple brute force attacks (except our CRIPTEOS 3001). So just have a QUANTUM COMPUTER on the side of the "good" and the ransomware is defeated forever….