Cybersecurity firm Sophos published a report on new python-based ransomware dubbed "Memento Team". In October, the actors attempted to encrypt files but were stopped by endpoint protection; following the incident; they switched to a unique tactic. Memento operators copied the files into password-protected archives using a freeware version of WinRAR. The files were encrypted after moving them to their archives, and the original documents were deleted.

Ransom note

A text file named Hello.txt is dropped after files are archived. Their content wording shared some similarities with REvil gang ransom notes. Memento demanded payment only in Bitcoin and offered 15.95 BTC, approximately $1 million to decrypt all the files.

Initial Infection

Actors leveraged a flaw in the VMware's vCentre Server web client; it allowed anyone with access to port 443 over TCP/IP to execute commands remotely. vCentre Server firewall was misconfigured, and malware protection was also outdated. The port was exposed to the internet with no endpoint detection and response.

On May 4, 2021, researchers observed actual signs of intrusion when the group dropped two tools.

• wmiexec: Remote shell tool that executes commands via Windows Management Instrumentation.
• secretsdump: Hash dumping tool dropped into Windows server to acquire credentials

The first command they execute is a PowerShell command to disable malware scanning. They use PowerShell web requests to pull files, a command file version of WinRAR, and archives compromised on the server.

powershell Set-MpPreference -DisableRealtimeMonitoring $true

The extracted RAR archive consists of pl.exe, a Plink SSH tunneling tool to connect to a South Korea IP address [27.[.].102.66.114]. Persistence is established after setting up a batch file wincert.bat. Mimikatz and secretdump were employed to move laterally in the network.

Attack Flow and Timeline

• October 1: Dropped a copy of Process hacker, an administrative tool, onto the server and configured kernel driver as a service for persistence.
• October 20: Started using WinRAR for compression of files and moved files to a directory accessible via RDP.
• October 22: Data is fully collected, and actors start wiping evidence of archived files.
• October 23: Executed the first iteration of ransomware.

Demon Function: Demon function imported from the module morph.pyc includes global variables used by the ransomware. It generated a unique ID for the system based on the IP address. Files were encrypted using AES, and an RSA encrypted password is generated for each file.

from morph import Demon
def main():
demon = Demon()
Demon.start(demon)
if __name__ == '__main__':
main()

Due to effective backups, targeted organizations could restore the majority of their data, but exfiltrated data could cause consequences for the company. "By keeping a low profile, modifying timestamps on files, and wiping logs of telltale signs of compromise, they were able to evade detection for a highly long time and fully explore the network," said Sean Gallager, Threat Researcher at Sophos.