{"id":3810,"date":"2021-11-19T20:14:02","date_gmt":"2021-11-19T14:44:02","guid":{"rendered":"https:\/\/xiarch.com\/blog\/?p=3810"},"modified":"2021-11-19T20:14:04","modified_gmt":"2021-11-19T14:44:04","slug":"advance-memento-ransomware-switches-to-winrar-after-declining-at-encryption","status":"publish","type":"post","link":"https:\/\/xiarch.com\/blog\/advance-memento-ransomware-switches-to-winrar-after-declining-at-encryption\/","title":{"rendered":"Advance Memento Ransomware Switches to WinRar after Declining at Encryption"},"content":{"rendered":"\n
A new ransomware group called Memento takes the unusual approach of locking files inside credential-protected archives after their encryption method kept being detected by the security software. Last month, the group became active when they began exploiting a VMware vCenter Server web client bug for the first access to victims\u2019 networks. The vCenter vulnerability is tracked as \u2018CVE-2021-21971\u2019 and is an unauthenticated, remote code execution flaw with the 9.8 critical (severity) rating.<\/p><\/p>\n\n\n\n
This bug permits anyone with remote access to TCP\/IP port 443 on an exposed vCenter server to run the commands on the underlying OS with admin rights. A patch for this bug came out in February, but as indicated by Memento\u2019s operation, various organizations have not patched their installs.<\/p><\/p>\n\n\n\n
This vulnerability has been under exploitation by Memento since April, while in May, a different actor was spotted exploiting it to install XMR miners via PowerShell commands.<\/p><\/p>\n\n\n\n
Exploiting vCenter to deploy ransomware<\/strong><\/h2>\n\n\n\n
Memento launched their ransomware operation last month when they began vCenter to extract administrative credentials from the target server, establish persistence through scheduled tasks, and then use RDP over SSH to spread laterally within the network.<\/p><\/p>\n\n\n\n
After the reconnaissance stage, the actors used WinRAR to create an archive of the stolen files and exfiltrate it. <\/p><\/p>\n\n\n\n
<\/figure><\/div>\n\n\n\n
Finally, they used Jetico\u2019s BCWipe data wiping utility to delete any traces left behind and then used a Python-based ransomware strain for the AES encryption. However, Memento’s original attempts at encrypted files as the systems had anti-ransomware protection, causing the encryption step to be detected and stopped before any damage was done.<\/p><\/p>\n\n\n\n
What is a Workaround?<\/strong><\/h2>\n\n\n\n
To overcome the detection of commodity ransomware by the security software, Memento came up with an interesting tactic – skip encryption altogether and move files into password-protected archives. <\/strong><\/p><\/p>\n\n\n\n
To do this, the group now moves files into WinRAR archives, sets a strong password for access protection, encrypts that key, and finally deletes the original files. “Instead of encrypting files, the \u201ccrypt\u201d code now put the files in unencrypted form into archive files, using the copy of WinRAR, saving each file in its own archive with a .vaultz file extension,” explains Sophos analyst Sean Gallagher.<\/p><\/p>\n\n\n\n
<\/figure><\/div>\n\n\n\n
In the cases that Sophos investigated, these extortion attempts haven’t led to a ransom payment, as victims used their backups to restore the files. However, Memento is a new group that has just found an atypical approach that works, so they’ll likely try it against other organizations.<\/p><\/p>\n\n\n\n
As such, if you’re using VMware vCenter Server and\/or Cloud Foundation, make sure to update your tools to the latest available version to resolve known vulnerabilities.<\/p><\/p>\n","protected":false},"excerpt":{"rendered":"
A new ransomware group called Memento takes the unusual approach of locking files inside credential-protected archives after their encryption method kept being detected by the security software. Last month, the group became active when they began exploiting a VMware vCenter Server web client bug for the first access to victims\u2019 networks. The vCenter vulnerability is […]<\/p>\n","protected":false},"author":2,"featured_media":3812,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[6],"tags":[],"yoast_head":"\n
Advance Memento Ransomware Switches to WinRar after Declining at Encryption - Xiarch Solutions Private Limited<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/xiarch.com\/blog\/advance-memento-ransomware-switches-to-winrar-after-declining-at-encryption\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Advance Memento Ransomware Switches to WinRar after Declining at Encryption - Xiarch Solutions Private Limited\" \/>\n<meta property=\"og:description\" content=\"A new ransomware group called Memento takes the unusual approach of locking files inside credential-protected archives after their encryption method kept being detected by the security software. Last month, the group became active when they began exploiting a VMware vCenter Server web client bug for the first access to victims\u2019 networks. The vCenter vulnerability is […]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/xiarch.com\/blog\/advance-memento-ransomware-switches-to-winrar-after-declining-at-encryption\/\" \/>\n<meta property=\"og:site_name\" content=\"Xiarch Solutions Private Limited\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/xiarch\/\" \/>\n<meta property=\"article:published_time\" content=\"2021-11-19T14:44:02+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2021-11-19T14:44:04+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/11\/Advance-Memento-Ransomware-Switches-to-WinRar-after-Declining-at-Encryption-featured-image.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1000\" \/>\n\t<meta property=\"og:image:height\" content=\"525\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Xiarch Security\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@xiarch\" \/>\n<meta name=\"twitter:site\" content=\"@xiarch\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Xiarch Security\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/xiarch.com\/blog\/advance-memento-ransomware-switches-to-winrar-after-declining-at-encryption\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/xiarch.com\/blog\/advance-memento-ransomware-switches-to-winrar-after-declining-at-encryption\/\"},\"author\":{\"name\":\"Xiarch Security\",\"@id\":\"https:\/\/xiarch.com\/blog\/#\/schema\/person\/655d814a04eacce56942270cfdc5c59c\"},\"headline\":\"Advance Memento Ransomware Switches to WinRar after Declining at Encryption\",\"datePublished\":\"2021-11-19T14:44:02+00:00\",\"dateModified\":\"2021-11-19T14:44:04+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/xiarch.com\/blog\/advance-memento-ransomware-switches-to-winrar-after-declining-at-encryption\/\"},\"wordCount\":455,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/xiarch.com\/blog\/#organization\"},\"articleSection\":[\"Vulnerabilities\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/xiarch.com\/blog\/advance-memento-ransomware-switches-to-winrar-after-declining-at-encryption\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/xiarch.com\/blog\/advance-memento-ransomware-switches-to-winrar-after-declining-at-encryption\/\",\"url\":\"https:\/\/xiarch.com\/blog\/advance-memento-ransomware-switches-to-winrar-after-declining-at-encryption\/\",\"name\":\"Advance Memento Ransomware Switches to WinRar after Declining at Encryption - Xiarch Solutions Private Limited\",\"isPartOf\":{\"@id\":\"https:\/\/xiarch.com\/blog\/#website\"},\"datePublished\":\"2021-11-19T14:44:02+00:00\",\"dateModified\":\"2021-11-19T14:44:04+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/xiarch.com\/blog\/advance-memento-ransomware-switches-to-winrar-after-declining-at-encryption\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/xiarch.com\/blog\/advance-memento-ransomware-switches-to-winrar-after-declining-at-encryption\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/xiarch.com\/blog\/advance-memento-ransomware-switches-to-winrar-after-declining-at-encryption\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/xiarch.com\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Advance Memento Ransomware Switches to WinRar after Declining at Encryption\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/xiarch.com\/blog\/#website\",\"url\":\"https:\/\/xiarch.com\/blog\/\",\"name\":\"Xiarch Solutions Private Limited\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\/\/xiarch.com\/blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/xiarch.com\/blog\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/xiarch.com\/blog\/#organization\",\"name\":\"Xiarch\",\"url\":\"https:\/\/xiarch.com\/blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/xiarch.com\/blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/06\/xi-logo-002.png\",\"contentUrl\":\"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/06\/xi-logo-002.png\",\"width\":300,\"height\":300,\"caption\":\"Xiarch\"},\"image\":{\"@id\":\"https:\/\/xiarch.com\/blog\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/xiarch\/\",\"https:\/\/twitter.com\/xiarch\",\"https:\/\/www.linkedin.com\/company\/xiarch\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/xiarch.com\/blog\/#\/schema\/person\/655d814a04eacce56942270cfdc5c59c\",\"name\":\"Xiarch Security\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/xiarch.com\/blog\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/d33699ed91b76568586dc1ae278ea568?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/d33699ed91b76568586dc1ae278ea568?s=96&d=mm&r=g\",\"caption\":\"Xiarch Security\"},\"sameAs\":[\"https:\/\/xiarch.com\/blog\/\"],\"url\":\"https:\/\/xiarch.com\/blog\/author\/vector\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Advance Memento Ransomware Switches to WinRar after Declining at Encryption - Xiarch Solutions Private Limited","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/xiarch.com\/blog\/advance-memento-ransomware-switches-to-winrar-after-declining-at-encryption\/","og_locale":"en_US","og_type":"article","og_title":"Advance Memento Ransomware Switches to WinRar after Declining at Encryption - Xiarch Solutions Private Limited","og_description":"A new ransomware group called Memento takes the unusual approach of locking files inside credential-protected archives after their encryption method kept being detected by the security software. Last month, the group became active when they began exploiting a VMware vCenter Server web client bug for the first access to victims\u2019 networks. The vCenter vulnerability is […]","og_url":"https:\/\/xiarch.com\/blog\/advance-memento-ransomware-switches-to-winrar-after-declining-at-encryption\/","og_site_name":"Xiarch Solutions Private Limited","article_publisher":"https:\/\/www.facebook.com\/xiarch\/","article_published_time":"2021-11-19T14:44:02+00:00","article_modified_time":"2021-11-19T14:44:04+00:00","og_image":[{"width":1000,"height":525,"url":"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/11\/Advance-Memento-Ransomware-Switches-to-WinRar-after-Declining-at-Encryption-featured-image.jpg","type":"image\/jpeg"}],"author":"Xiarch Security","twitter_card":"summary_large_image","twitter_creator":"@xiarch","twitter_site":"@xiarch","twitter_misc":{"Written by":"Xiarch Security","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/xiarch.com\/blog\/advance-memento-ransomware-switches-to-winrar-after-declining-at-encryption\/#article","isPartOf":{"@id":"https:\/\/xiarch.com\/blog\/advance-memento-ransomware-switches-to-winrar-after-declining-at-encryption\/"},"author":{"name":"Xiarch Security","@id":"https:\/\/xiarch.com\/blog\/#\/schema\/person\/655d814a04eacce56942270cfdc5c59c"},"headline":"Advance Memento Ransomware Switches to WinRar after Declining at Encryption","datePublished":"2021-11-19T14:44:02+00:00","dateModified":"2021-11-19T14:44:04+00:00","mainEntityOfPage":{"@id":"https:\/\/xiarch.com\/blog\/advance-memento-ransomware-switches-to-winrar-after-declining-at-encryption\/"},"wordCount":455,"commentCount":0,"publisher":{"@id":"https:\/\/xiarch.com\/blog\/#organization"},"articleSection":["Vulnerabilities"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/xiarch.com\/blog\/advance-memento-ransomware-switches-to-winrar-after-declining-at-encryption\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/xiarch.com\/blog\/advance-memento-ransomware-switches-to-winrar-after-declining-at-encryption\/","url":"https:\/\/xiarch.com\/blog\/advance-memento-ransomware-switches-to-winrar-after-declining-at-encryption\/","name":"Advance Memento Ransomware Switches to WinRar after Declining at Encryption - Xiarch Solutions Private Limited","isPartOf":{"@id":"https:\/\/xiarch.com\/blog\/#website"},"datePublished":"2021-11-19T14:44:02+00:00","dateModified":"2021-11-19T14:44:04+00:00","breadcrumb":{"@id":"https:\/\/xiarch.com\/blog\/advance-memento-ransomware-switches-to-winrar-after-declining-at-encryption\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/xiarch.com\/blog\/advance-memento-ransomware-switches-to-winrar-after-declining-at-encryption\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/xiarch.com\/blog\/advance-memento-ransomware-switches-to-winrar-after-declining-at-encryption\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/xiarch.com\/blog\/"},{"@type":"ListItem","position":2,"name":"Advance Memento Ransomware Switches to WinRar after Declining at Encryption"}]},{"@type":"WebSite","@id":"https:\/\/xiarch.com\/blog\/#website","url":"https:\/\/xiarch.com\/blog\/","name":"Xiarch Solutions Private Limited","description":"","publisher":{"@id":"https:\/\/xiarch.com\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/xiarch.com\/blog\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/xiarch.com\/blog\/#organization","name":"Xiarch","url":"https:\/\/xiarch.com\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/xiarch.com\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/06\/xi-logo-002.png","contentUrl":"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/06\/xi-logo-002.png","width":300,"height":300,"caption":"Xiarch"},"image":{"@id":"https:\/\/xiarch.com\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/xiarch\/","https:\/\/twitter.com\/xiarch","https:\/\/www.linkedin.com\/company\/xiarch"]},{"@type":"Person","@id":"https:\/\/xiarch.com\/blog\/#\/schema\/person\/655d814a04eacce56942270cfdc5c59c","name":"Xiarch Security","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/xiarch.com\/blog\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/d33699ed91b76568586dc1ae278ea568?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/d33699ed91b76568586dc1ae278ea568?s=96&d=mm&r=g","caption":"Xiarch Security"},"sameAs":["https:\/\/xiarch.com\/blog\/"],"url":"https:\/\/xiarch.com\/blog\/author\/vector\/"}]}},"_links":{"self":[{"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/posts\/3810"}],"collection":[{"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/comments?post=3810"}],"version-history":[{"count":1,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/posts\/3810\/revisions"}],"predecessor-version":[{"id":3815,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/posts\/3810\/revisions\/3815"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/media\/3812"}],"wp:attachment":[{"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/media?parent=3810"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/categories?post=3810"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/tags?post=3810"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
![\"Advance-Memento-Ransomware-Switches-to-WinRar-after-Declining-at-Encryption-image1\"](\"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/11\/Advance-Memento-Ransomware-Switches-to-WinRar-after-Declining-at-Encryption-image1.png\")
<\/figure><\/div>\n\n\n\n![\"Advance-Memento-Ransomware-Switches-to-WinRar-after-Declining-at-Encryption-image2\"](\"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/11\/Advance-Memento-Ransomware-Switches-to-WinRar-after-Declining-at-Encryption-image2.png\")
<\/figure><\/div>\n\n\n\n