Files Within Password-Protected WinRAR Archives Locked by New Memento Ransomware Group

Memento ransomware group makes its way on the threat landscape scene. Their approach seems to be quite uncommon, as the threat actor group locks files in WinRAR archives protected by a password. Because security software managed to detect previous encryption techniques, they have chosen now this method instead.

Memento Ransomware Group: Background

Sophos researchers published a report on this topic. It seems that the Memento ransomware group has started its ransomware activity in October 2021. They targeted a vulnerability in the VMware vCenter Server web client in order to obtain initial access to the targeted networks. The flaw was dubbed CVE-2021-21971, being characterized by a 9.8 severity score and representing basically a remote code execution vulnerability.

Anyone that remotely accesses a vCenter server’s TCP/IP port 443 can manage through the abusing of this vulnerability to use privileged access in order to perform commands execution on the operation system. It seems that the vulnerability received a patch back in February, however, not many enterprises seemed to apply this patch.

Apparently, Memento started exploiting this flaw in April, and then last month they went on with their ransomware operation. They targeted vCenter and started performing a series of actions like server admin

Read More: https://heimdalsecurity.com/blog/memento-ransomware-group-winrar-archives/