US regulators order banks to report cyberattacks within 36 hours
Hackers deploy Linux malware, web skimmer on e-commerce servers
Six million Sky routers exposed to takeover attacks for 17 months
Microsoft: Windows Installer breaks apps after updates, repairs
The Week in Ransomware – November 19th 2021 – Targeting Conti
Some Tesla owners unable to unlock cars due to server errors
Emotet botnet comeback orchestrated by Conti ransomware gang
New Windows 11 build fixes Microsoft Installer issue breaking apps
Qualys BrowserCheck
Junkware Removal Tool
How to remove the PBlock+ adware browser extension
Remove the Search Redirect
Remove the Search Redirect
Remove the Search Redirect
Remove Security Tool and SecurityTool (Uninstall Guide)
How to remove Antivirus 2009 (Uninstall Instructions)
How to Remove WinFixer / Virtumonde / Msevents / Trojan.vundo
How to remove Google Redirects or the TDSS, TDL3, or Alureon rootkit using TDSSKiller
Locky Ransomware Information, Help Guide, and FAQ
CryptoLocker Ransomware Information Guide and FAQ
CryptorBit and HowDecrypt Information Guide and FAQ
CryptoDefense and How_Decrypt Ransomware Information Guide and FAQ
How to make the Start menu full screen in Windows 10
How to install the Microsoft Visual C++ 2015 Runtime
How to open an elevated PowerShell Admin prompt in Windows 10
How to Translate a Web Page in Google Chrome
How to start Windows in Safe Mode
How to remove a Trojan, Virus, Worm, or other Malware
How to show hidden files in Windows 7
How to see hidden files in Windows
IT Certification Courses
Gear + Gadgets
A new ransomware group called Memento takes the unusual approach of locking files inside password-protected archives after their encryption method kept being detected by security software.
Last month, the group became active when they began exploiting a VMware vCenter Server web client flaw for the initial access to victims’ networks.
The vCenter vulnerability is tracked as ‘CVE-2021-21972‘ and is an unauthenticated, remote code execution bug with a 9.8 (critical) severity rating.
This flaw allows anyone with remote access to TCP/IP port 443 on an exposed vCenter server to execute commands on the underlying OS with admin privileges.
A patch for this flaw came out in February, but as indicated by Memento’s operation, numerous organizations have not patched their installs.
This vulnerability has been under exploitation by Memento since April, while in May, a different actor was spotted exploiting it to install XMR miners via PowerShell commands.
Memento launched their ransomware operation last month when they began vCenter to extract administrative credentials from the target server, establish persistence through scheduled tasks, and then use RDP over SSH to spread laterally within the network.
After the reconnaissance stage, the actors used WinRAR to create an archive of the stolen files and exfiltrate it.
Finally, they used Jetico’s BCWipe data wiping utility to delete any traces left behind and then used a Python-based ransomware strain for the AES encryption.
However, Memento’s original attempts at encrypted files as the systems had anti-ransomware protection, causing the encryption step to be detected and stopped before any damage was done.
To overcome the detection of commodity ransomware by security software, Memento came up with an interesting tactic – skip encryption altogether and move files into password-protected archives.
To do this, the group now moves files into WinRAR archives, sets a srong password for access protection, encrypts that key, and finally deletes the original files.
“Instead of encrypting files, the “crypt” code now put the files in unencrypted form into archive files, using the copy of WinRAR, saving each file in its own archive with a .vaultz file extension,” explains Sophos analyst Sean Gallagher.
“Passwords were generated for each file as it was archived. Then the passwords themselves were encrypted.”
The ransom note that is dropped demands the victim pay 15.95 BTC ($940,000) for complete recovery or 0.099 BTC ($5,850) per file.
In the cases that Sophos investigated, these extortion attempts haven’t led to a ransom payment, as victims used their backups to restore the files.
However, Memento is a new group that has just found an atypical approach that works, so they’ll likely try it against other organizations.
As such, if you’re using VMware vCenter Server and/or Cloud Foundation, make sure to update your tools to the latest available version to resolve known vulnerabilities.
Ransomware gang encrypts VMware ESXi servers with Python script
The Week in Ransomware – November 19th 2021 – Targeting Conti
Emotet botnet comeback orchestrated by Conti ransomware gang
Russian ransomware gangs start collaborating with Chinese hackers
WordPress sites are being hacked in fake ransomware attacks
Yes this is great post!
Not a member yet? Register Now
Winamp prepares a relaunch, new beta version almost ready
Hackers deploy Linux malware, web skimmer on e-commerce servers
To receive periodic updates and news from BleepingComputer, please use the form below.
Terms of Use Privacy PolicyEthics Statement
Copyright @ 2003 – 2021 Bleeping Computer® LLC – All Rights Reserved
Not a member yet? Register Now
Read our posting guidelinese to learn what content is prohibited.


You May Also Like

Anubis Android malware returns to target 394 financial apps

Microsoft December 2021 Patch Tuesday fixes 6 zero-days, 67 flawsBugs in billions…

CISA releases cybersecurity response plans for federal agencies

Windows 10 21H2 is released, here are the new featuresNew Rowhammer technique…

Robinhood discloses data breach impacting 7 million customers

State hackers breach defense, energy, healthcare orgs worldwideMediaMarkt hit by Hive ransomware,…

Kronos ransomware attack may cause weeks of HR solutions downtime

Attackers can get root by crashing Ubuntu’s AccountsServiceAttackers can get root by…