Sophos discovers new ransomware Memento: it locks files in a password-protected archive if it cannot encrypt the data. Forensic analysis by SophosLabs provides detailed insights into the new approach.
Sophos has released details of a new ransomware from a group called Memento. The study "New Ransomware Actor Uses Password Protected Archives to Bypass Encryption Protection" describes the attack that locks files in a password-protected archive when the ransomware Memento cannot encrypt the target data.
Memento has alternative attack options
"Human-driven ransomware attacks are rarely clear cut and linear," said Sean Gallagher, senior threat researcher at Sophos. “Attackers jump at opportunities spontaneously when they find them, or sometimes make mistakes. They then change tactics on the fly, because if they do manage to penetrate a target's network, they don't want to be left empty-handed.
The memento attack is a good example of this and reminds us of the importance of keeping security at all levels. In this case, after data encryption was suppressed by a security program, the attackers found another way of achieving their goal. The ability to detect and prevent ransomware and encryption attempts is of vital importance, but it is also important to have security technologies in place that can warn of other activities, such as unexpected movement and activity on the network. "
SophosLabs records long-term logs of the Memento attack
- Mid-April 2021 - it starts. Intrusion into the network
- October 20, 2021 - WinRAR is used
- October 23, 2021 - Ransomware and Plan B rolled out
The cyber criminals have now demanded a ransom of one million dollars in Bitcoin to restore the files. Fortunately, the attacked company was able to recover the data without the involvement of the cyber criminals.
- May 18, September 8, October 3 - New intrusion line and crypto miners
"We've seen it many times before: If security gaps on the Internet are known and not patched, attackers quickly exploit them and suddenly different hacker groups are cavorting in the same network. The longer the vulnerabilities go unfixed, the more attackers will become aware of them,” Gallagher said.
Important for IT security - a few pointers
This incident, in which several attackers exploited a single unpatched server exposed to the Internet, shows once again how important it is to install patches quickly and to find out about the security of your software from third-party providers, contract developers or service providers. For more information, see the report on Memento Ransomware in SophosLabs Uncut.
More at Sophos.com
About Sophos More than 100 million users in 150 countries trust Sophos. We offer the best protection against complex IT threats and data loss. Our comprehensive security solutions are easy to deploy, use and manage. They offer the lowest total cost of ownership in the industry. Sophos offers award-winning encryption solutions, security solutions for endpoints, networks, mobile devices, email and the web. In addition, there is support from SophosLabs, our worldwide network of our own analysis centers. The Sophos headquarters are in Boston, USA and Oxford, UK.