“Being able to detect ransomware and attempted encryption is vital, but it is also important to have security technologies that can alert IT managers to other, unexpected, activity, such as lateral movement.” The Memento attack is a good example of this, and it serves as a critical reminder to use defence-in-depth security. “If they can make it into a target’s network, they won’t want to leave empty-handed. “Attackers seize opportunities when they find them or make mistakes, and then change tactics ‘on the fly’,” he said. Sean Gallagher, senior threat researcher at Sophos, said the emergence of Memento demonstrates how human-led ransomware attacks are rarely clear-cut and linear, but can quickly evolve to account for specific circumstances.
They then demanded a $1m bitcoin ransom, although the victim had fortunately kept on top of their security and was able to recover without paying. This time, they copied unencrypted files into a password-protected archive using a renamed free version of WinRAR, before encrypting the password and deleting the original files. In response, they shifted tack, retooled Memento and redeployed it. So far, so normal.īut at this point, the cyber criminals hit an issue – their attempt to directly encrypt the victim’s files was blocked by security tools. On 20 October 2021, Memento used the WinRAR tool to compress and exfiltrate the victim’s data via RDP, before deploying the ransomware itself on 23 October. Credentials were harvested with Mimikatz. They then spent several months lying low, using remote desktop protocol (RDP), NMAP network scanner, Advanced Port Scanner and Plink secure shell (SSH) tunneling to connect to the compromised server. Memento’s operators gained access to the target network as long ago as April by exploiting an unpatched vulnerability in VMware vSphere. The Python-coded ransomware was observed by Sophos incident responders, who engaged with a victim earlier this autumn.
0 kommentar(er)
