A new ransomware group called Memento takes the unusual approach of locking files inside password-protected archives after their encryption method kept being detected by security software. The group became active when they began exploiting a VMware vCenter Server web client flaw for the initial access to victims’ networks.

The vCenter vulnerability is tracked as ‘CVE-2021-21971’ and is an unauthenticated, remote code execution bug with a 9.8 (critical) severity rating. This flaw allows anyone with remote access to TCP/IP port 443 on an exposed vCenter server to execute commands on the underlying OS with admin privileges.

Advertisements

A patch for this flaw is available, but as indicated by Memento’s operation, numerous organizations have not patched their installs. Memento launched their ransomware operation last month when they began vCenter to extract administrative credentials from the target server, establish persistence through scheduled tasks, and then use RDP over SSH to spread laterally within the network.

After the reconnaissance stage, the actors used WinRAR to create an archive of the stolen files and exfiltrate it.

Memento attack flow

Finally, they used Jetico’s BCWipe data wiping utility to delete any traces left behind and then used a Python-based ransomware strain for the AES encryption.Memento’s original attempts at encrypted files as the systems had anti-ransomware protection, causing the encryption step to be detected and stopped before any damage was done.

Advertisements

Memento’s original attempts at encrypted files as the systems had anti-ransomware protection, causing the encryption step to be detected and stopped before any damage was done.

Memento came up with an interesting tactic – skip encryption altogether and move files into password-protected archives for evading security system

The group moves files into WinRAR archives, sets a srong password for access protection, encrypts that key, and finally deletes the original files.

Instead of encrypting files, the “crypt” code now put the files in unencrypted form into archive files, using the copy of WinRAR, saving each file in its own archive with a .vaultz file extension Passwords were generated for each file as it was archived. Then the passwords themselves were encrypted.

Advertisements

The ransom note that is dropped demands the victim pay 15.95 BTC ($940,000) for complete recovery or 0.099 BTC ($5,850) per file.