New Memento ransomware switches to WinRar after failing at encryption

LASER_oneXM

Level 37
Thread author
Verified
Top poster
Well-known
Feb 4, 2016
2,543
A new ransomware group called Memento takes the unusual approach of locking files inside password-protected archives after their encryption method kept being detected by security software.

Last month, the group became active when they began exploiting a VMware vCenter Server web client flaw for the initial access to victims' networks.
The vCenter vulnerability is tracked as 'CVE-2021-21971' and is an unauthenticated, remote code execution bug with a 9.8 (critical) severity rating.

This flaw allows anyone with remote access to TCP/IP port 443 on an exposed vCenter server to execute commands on the underlying OS with admin privileges.
A patch for this flaw came out in February, but as indicated by Memento's operation, numerous organizations have not patched their installs.

This vulnerability has been under exploitation by Memento since April, while in May, a different actor was spotted exploiting it to install XMR miners via PowerShell commands.