Recently, a new malicious threat group named Memento takes a peculiar way of locking files inside password-protected files using WinRAR after their encryption attempts are successively detected and taken down by cybersecurity software. The Memento ransomware group became active last October and started exploiting VMware vCenter server web client vulnerability for the first stage of accessing their target’s network.
The vCenter’s flaw is identified as CVE-2021-21971, and it is an unauthenticated, remotely coded execution vulnerability with a high severity rating. This vulnerability gives anyone with remote access on an exposed vCenter server the ability to initiate commands on the current OS with admin-level privileges and was under the control of the Memento ransomware group.
Last October, the Memento ransomware group initiated their operation upon extracting administrative credentials and information from the target server. They also manage to put persistence via scheduled tasks and then utilise RDP over SSH to distribute laterally across the victims’ network.
After the retrieval process, the malicious threat actors utilised WinRAR to develop an archive of the stolen files and steal it. Lastly, they utilised a data wiping utility to remove any of their tracks and then utilise Python ransomware strain for the encryption.
But Memento ransomware’s original objective at encrypting data files was constantly detected by security solutions. That is why they switched their approach and continued their actions.
Security detections did not stop the Memento ransomware from causing damage.
The Memento ransomware evades the detection of security software by devising an exciting strategy. They skip the encryption process and transferred the gathered files into a password-protected library. To achieve this technique, the Memento gang moved the files into the WinRAR library, customised a strong password for protection, encrypted the key, and deleted the original files.
The Memento group then drops a ransom note that demands the victim to pay nearly $1 million for complete retrieval of stolen files. As of today, no ransom payment was confirmed. However, since the peculiar approach of Memento in stealing files is successful, they will use it again against other targets.
