Ransomware actors have found a cunning way to bypass your endpoint protection
Date:
Fri, 19 Nov 2021 12:04:50 +0000
Description:
After their scheme was caught by endpoint protection tools, new ransomware operator used a Python script to move files to an encrypted archive.
FULL STORY ======================================================================
Cybersecurity researchers have uncovered a new ransomware group, which after failing to directly encrypt their victims files, copied them into a password-protected archive, before encrypting the password, and deleting the original files.
Sharing insights into the threat actor, which identifies itself as Memento Team, Sean Gallagher from the Sophos MTRs Rapid Response Team writes that the operators use a renamed freeware version of the legitimate file compression utility WinRAR .
This was a retooling by the ransomware actors, who initially attempted to encrypt files directlybut were stopped by endpoint protection . After failing on the first attempt, they changed tactics, and re-deployed, notes Gallagher. TechRadar needs you!
We're looking at how our readers use VPNs with streaming sites like Netflix
so we can improve our content and offer better advice. This survey won't take more than 60 seconds of your time, and we'd hugely appreciate if you'd share your experiences with us.
Click here to start the survey in a new window <<
After encrypting the files, the gang demanded $1 million to restore the
files, and as is common among ransomware operators, threatened to expose the victims data if they refused to pay the ransom. Off the beaten track
The researchers believe the threat actors first broke into their victims network by exploiting a flaw in the VMwares vCenter Server web client , sometime between April and May.
They then waited till October to deploy their ransomware. Interestingly, Sophos notes that while the Memento Team were pondering about their next
move, at least two different intruders exploited the same vCenter vulnerability to drop cryptominers into the compromised server.
As for the Memento Teams ransomware itself, Gallagher notes that it was written in Python 3.9 and compiled with PyInstaller . While they were unable to decompile it completely, the researchers were able to decode enough of the code to understand how it worked.
Furthermore, the attackers also deployed an open source Python-based
keylogger on several machines, as they moved laterally within the network
with the help of Remote Desktop Protocol (RDP).
Sophos adds that the attackers ransom note takes inspiration from the one
used by REvil, and asks the victims to get in touch via the Telegram messenger. All of it came to naught as the victim refused to engage with the threat actors and recovered most of their data thanks to backups .
However, Sophos adds that the attack once again highlights the fact that threat actors are always looking to exploit any laxity shown by admins to patch their servers.
At the time of the initial compromise, the vCenter vulnerability had been public for nearly two months, and it remained exploitable up to the day the server was encrypted by the ransomware attackers, notes Sophos, in its effort to impress upon the importance of applying security patches without delay.
Ensure your systems remain secure and updated using one of these best patch management tools
======================================================================
Link to news story:
https://www.techradar.com/news/ransomware-actors-have-found-a-cunning-way-to-b ypass-your-endpoint-protection/
--- Mystic BBS v1.12 A47 (Linux/64)
* Origin: tqwNet Technology News (1337:1/100)