Memento Ransomware

The Memento Ransomware is a relatively new threat actor on the ransomware landscape. The group emerged in October 2021, when it began targeting vulnerable VMware vCenter Server Web clients. As an initial infection vector, the hackers exploited a critical vCenter vulnerability tracked as 'CVE-2021-21971' that allowed to execute remote commands affecting the OS of the breached machine. A patch addressing this particular exploit was released back in February, but as the Memento attack operation has clearly demonstrated there are plenty of organizations that have not applied the security patch and are still at risk.

Attack Details

After gaining access to the victim's network, the threat actor initiated a reconnaissance stage. It involved obtaining admin credentials from the server, establishing a persistence mechanism via scheduled tasks, and moving laterally through the network by using RDP (Remote Desktop Protocol) over the SSH network communication protocol. All obtained data would be archived using WinRAR and then exfiltrated.

To wipe the traces of their activity, the Memento hackers relied on Jetico's BCWipe utility. The final step saw the attackers deploy a Python-based ransomware threat that encrypts files using the AES cryptographic algorithm. However, here the attackers run into a major problem as security solutions would detect the encryption process and block it from causing any damage.

Doubling-Down on WinRAR

The Memento cybercriminals didn't give up and instead shifted to using an innovative workaround. The hackers dropped the entire encryption code and instead reworked it to now take the victim's files, add each one to a separate WinRAR archive with a '.vaultz' extension, and lock it with a sufficiently strong password. The passwords are generated for each file as it is archived and are then encrypted. The original files outside of the WinRAR archives are deleted.

According to the ransom notes generated on the compromised systems, the Memento hackers want to be paid a total of 15.95 BTC (Bitcoin) for unlocking all affected files or 0.099 BTC on a per-file basis. At the current exchange rate of the Bitcoin cryptocurrency, the demanded ransoms are equal to $920,000 and $5,700 respectively.