Ransomware actors have found a cunning way to bypass your endpoint protection

Attack was made possible because the victim failed to patch servers in time

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Cybersecurityresearchers have uncovered a newransomwaregroup, which after failing to directlyencrypttheir victim’s files, copied them into a password-protected archive, before encrypting the password, and deleting the original files.

Sharing insights into the threat actor, which identifies itself as “Memento Team,” Sean Gallagher from the Sophos MTR’s Rapid Response Team writes that the operators use a renamed freeware version of the legitimatefile compressionutilityWinRAR.

“This was a retooling by the ransomware actors, who initially attempted to encrypt files directly—but were stopped byendpoint protection. After failing on the first attempt, they changed tactics, and re-deployed,”notesGallagher.

We’re looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won’t take more than 60 seconds of your time, and we’d hugely appreciate if you’d share your experiences with us.

Click here to start the survey in a new window«

After encrypting the files, the gang demanded $1 million to restore the files, and as is common among ransomware operators, threatened to expose the victim’s data if they refused to pay the ransom.

Off the beaten track

The researchers believe the threat actors first broke into their victim’s network by exploiting a flaw in theVMware’s vCenter Server web client, sometime between April and May.

They then waited till October to deploy their ransomware. Interestingly, Sophos notes that while the Memento Team were pondering about their next move, at least two different intruders exploited the same vCenter vulnerability to dropcryptominersinto the compromised server.

As for the Memento Team’s ransomware itself, Gallagher notes that it was written inPython3.9 and compiled withPyInstaller. While they were unable to decompile it completely, the researchers were able to decode enough of the code to understand how it worked.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Furthermore, the attackers also deployed anopen sourcePython-basedkeyloggeron several machines, as they moved laterally within the network with the help ofRemote DesktopProtocol (RDP).

Sophos adds that the attackers’ ransom note takes inspiration from the one used by REvil, and asks the victims to get in touch via the Telegram messenger. All of it came to naught as the victim refused to engage with the threat actors and recovered most of their data thanks tobackups.

However, Sophos adds that the attack once again highlights the fact that threat actors are always looking to exploit any laxity shown by admins topatchtheir servers.

“At the time of the initial compromise, the vCenter vulnerability had been public for nearly two months, and it remained exploitable up to the day the server was encrypted by the ransomware attackers,” notes Sophos, in its effort to impress upon the importance of applying security patches without delay.

Ensure your systems remain secure and updated using one of thesebest patch management tools

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’sTechRadar Pro’sexpert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.

Phishing attacks surge in 2024 as cybercriminals adopt AI tools and multi-channel tactics

This new phishing strategy utilizes GitHub comments to distribute malware

Smeg Combi Steam Oven review: a multi-functional countertop oven that looks stunning and cooks well