A newly discovered threat group, which call themselves Memento Team, quickly swapped up their tactics when their ransomware was thwarted by endpoint protection: They locked files in a password protected archive and threatened to expose the data if the victim did not pay a ransom. Researchers with Sophos, who observed the attack, pointed to the incident as an example of how ransomware groups are getting better at changing their tactics on the fly.
As ransomware attacks against enterprise and critical infrastructure organizations continue to spiral, the operators behind these attacks are constantly reinventing the wheel with tactics like double (or triple) extortion to put pressure on victims, or the use of cryptomixers to obfuscate the origin of their earnings. Sean Gallagher, senior threat researcher at Sophos, said researchers have also seen attackers deploy an entire virtual machine to victims' networks to disguise their ransomware after it was blocked.
“Human-led ransomware attacks in the real world are rarely clear cut and linear,” said Gallagher. “Being able to detect ransomware and attempted encryption is vital, but it’s also important to have security technologies that can alert IT managers to other, unexpected, activity such as lateral movement.”
Gallagher said this is the first time researchers have encountered Memento Team - though that doesn’t mean they’re new to cybercrime, as they may have previously worked as an affiliate of other ransomware gangs.
The attackers first accessed the victim’s network by exploiting a (now patched) remote code execution flaw (CVE-2021-21972) in VMware’s vCenter Server web client, which enables bad actors with network access to port 443 to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server. Gallagher said this particular company had a misconfigured firewall, meaning that vCenter Server was exposed on the Internet on that port. The first hints of access trailed back to mid-April, and in May the attackers dropped a variety of tools - including a remote shell tool and a hash dumping tool (likely used to collect credentials for accounts) - onto a Windows server. The attackers then laid low for six months before dropping the ransomware in October.
"We know of a few previous incidents where archiving tools were used by ransomware operators, but this particular combination and the way they shifted tactics in midstream is interesting if not completely novel."
Gallagher said that he believes the long dwell time here was partly due to the cybercriminals not having ransomware ready to drop at the time of initial compromise.
“By keeping a low profile, modifying timestamps on files and wiping logs of telltale signs of compromise, they were able to evade detection for an extremely long time and fully explore the network,” he said. “The extent to which RDP services were enabled throughout the network made hands-on-keyboard lateral movement throughout the network much easier, further reducing the signature of their intrusion.”
During this time, the vCenter vulnerability continued to make the victim detectable to other attackers who were scanning the Internet - in fact, two separate actors launched cryptocurrency mining malware attacks on the victim’s network, including one on May 18 and one on Sept. 8.
Memento Team in October finally made the move to deploy the ransomware, RuntimeBroker.exe, which is an executable compiled from Python 3.9 that used the legitimate WinRAR file archive utility to archive files and then attempted to encrypt them. However, when they were blocked by endpoint protection, they then re-deployed their ransomware. This time, the ransomware copied files into password protected archives, using WinRAR, before encrypting the password and deleting the original files. The attackers then dropped a ransom note, Hello Message.txt, for the victim.
“We know of a few previous incidents where archiving tools were used by ransomware operators, but this particular combination and the way they shifted tactics in midstream is interesting if not completely novel,” said Gallagher. “They then demanded $1 million US to restore the files, and threatened data exposure if the victim did not comply.”
Ultimately, this extra step did not pay off for attackers: The victim did not pay the ransom, because they had backups in place and were able to restore most of their data. However, attackers still have that exfiltrated data, which may have long-term ramifications for the victim company. While backups are important, Gallagher said the incident shows the urgency of applying vendor security patches - at the time of compromise, the vCenter flaw had been public for nearly two months, and it remained open up until the server was encrypted by the ransomware attackers.
“This attack is just one of several we’ve recently seen where a relatively recently published vulnerability in an Internet-facing server was exploited to gain access,” he said. “Sometimes these attacks are enabled by access brokers who actively scan the Internet for systems with vulnerabilities and sell off connections to the ones they gain a foothold on.”