Tweet

SophosLabs

18 Nov, 13 tweets, 3 min read

NEW ransomware actor uses password-protected archives to bypass encryption protection

Calling themselves "Memento team", actors use Python-based ransomware that they reconfigured after setbacks...

1/13

In late October, Sophos MTR’s Rapid Response Team encountered a new ransomware group with an interesting approach to holding victims’ files hostage.

The ransomware used by this group, who identify themselves as “Memento Team,” doesn’t encrypt files. 2/13

Instead, it copies files into password-protected archives, using a renamed freeware version of the legitimate file utility WinRAR—and then encrypts the password and deletes the original files. 3/13

This was a retooling by the ransomware actors, who initially attempted to encrypt files directly—but were stopped by endpoint protection. After failing on the first attempt, they changed tactics, and re-deployed, as evidenced by the multiple versions of... 4/13

... the ransomware payload compiled at different times found on the victim’s network.

They then demanded $1 million US to restore the files, and threatened data exposure if the victim did not comply.

There were some other twists to the “Memento” attack as well. 5/13

The ransomware itself is a Python 3.9 script compiled with PyInstaller. And in a ransom note that largely cribs the format used by REvil, the criminals behind the ransomware instructed the victims to contact them via a Telegram account. 6/13

The attackers also deployed an open-source Python-based keylogger on several machines as they moved laterally within the network using Remote Desktop Protocol. 7/13

The Memento actors also waited a long time before executing their attack—so long that at least two different cryptocurrency miners were dropped onto the server they used for initial access during the course of their dwell time by different intruders using similar exploits. 8/13

After over 6 months dwell time on the victim’s network, the attack had finally been sprung.

Unfortunately for the Memento actors, all that extra work did not pay off as planned. The victim did not negotiate with the ransomware actors. 9/13

Thanks to backups, the targeted organization was able to restore most of their data. For systems running InterceptX, the endpoint detection and response system logged the commands used by the attack to archive files, along with the unencrypted passwords for the files. 10/13

SophosLabs and Sophos Rapid Response were able to recover select files for the victim and provide a method for recovering any files not backed up.

A list of the IOCs for the Memento attack and the miner attacks from this incident is available on SophosLabs’ GitHub page. 11/13

@thepacketrat

Read the full story from @thepacketrat...

news.sophos.com/en-us/2021/11/…

12/13

We'd like to thank Vikas Singh, Robert Weiland, Elida Leite, Kyle Link, Ratul Ghosh, Harinder Bhathal, and Sergio Bestuilic of Sophos MTR’s Rapid Response team, and Ferenc László Nagy, Rahul Dugar, Nirav Parekh, and Gabor Szappanos of SophosLabs for their contributions. 13/13

• • •

Missing some Tweet in this thread? You can try to force a refresh

This Thread may be Removed Anytime!

Twitter may remove this content at anytime! Save it as PDF for later use!

More from @SophosLabs

SophosLabs

@SophosLabs

4 Nov

@threatresearch

Hey everyone. @threatresearch here with a little news about how my day's been going.

Seems a lot of people are dealing with an outbreak of #BazarBackdoor that starts with an email that sounds like it's coming from someone who is annoyed you didn't report a complaint about you.

We received a LOT of samples of the same-looking email from people who, correctly, recognized this as a phishy-looking spam. The "complaint" was purportedly linked in the email to a PDF.

Narrator: It wasn't a PDF

Rather, the link leads to one of several pages hosted in Microsoft's cloud hosting space. The pages all looked like this one, with a link to download the "Preview PDF" but if you look closer at the link, you'll see it's an "ms-appinstaller:" link. That's new!

Read 17 tweets

SophosLabs

@SophosLabs

3 Sep

NEW: Conti affiliates use ProxyShell Exchange exploit in ransomware attacks ⚠️

In one of the ProxyShell-based attacks observed by Sophos, the Conti affiliates managed to gain access to the target’s network and set up a remote web shell in under a minute...

1/14

ProxyShell represents an evolution of the ProxyLogon attack method. In recent months, the exploit has become a mainstay of ransomware attacker playbooks, including those deploying the new LockFile ransomware first seen in July. 2/14

As attackers have gained experience with the techniques, their dwell time before launching the final ransomware payload on target networks has decreased from weeks to days to hours. 3/14

Read 14 tweets

SophosLabs

@SophosLabs

1 Sep

NEW: Fake pirated software sites serve up malware droppers as a service 🏴‍☠️

During our recent investigation into an ongoing Raccoon Stealer campaign, we found the malware was being distributed by a network of websites acting as a “dropper as a service,”... 1/00

... serving up a variety of other malware packages—often bundling multiple unrelated malware together in a single dropper. These malware included an assortment of clickfraud bots, other information stealers, and even ransomware. 2/00

While the Raccoon Stealer campaign we tracked on these sites took place between January and April, 2021, we continue to see malware and other malicious content distributed through the same network of sites. 3/00

Read 13 tweets

SophosLabs

@SophosLabs

9 Aug

NEW 👇

BlackMatter ransomware emerges from the shadow of DarkSide

1/12

In late July, a new RaaS appeared on the scene.

Calling itself BlackMatter, the ransomware claims to fill the void left by DarkSide and REvil – adopting the best tools and techniques from each of them, as well as from the still-active LockBit 2.0. 2/12

We decided to take a closer look at the malware and the claims being made by the new adversary to see what’s really going on... 3/12

Read 12 tweets

SophosLabs

@SophosLabs

11 Jun

NEW insights ☠️

Relentless REvil, revealed: RaaS as variable as the criminals who use it

No two criminal groups deploy the ransomware-as-a-service (RaaS), also known as Sodinokibi, in exactly the same way...

(a thread) 1/11

As attacks involving RaaS malware, including REvil, increasingly have generated attention, we wanted to pull together a common body of our knowledge about the ransomware itself, and the variety we observe in attack methods employed by the criminals who lease the software. 2/11

We've also reviewed reports from Sophos Rapid Response about attacks involving Sodinokibi/REvil where the MTR team were hired to provide incident response and cleanup. From these detailed analyses, we were able to develop a picture of a common malware being deployed. 3/11

Read 11 tweets

SophosLabs

@SophosLabs

8 Jun

NEW on Patch Tuesday: Six in-the-wild exploits patched in Microsoft’s June security fix release

Security fixes address five critical vulnerabilities, including scripting and Defender bugs—and one actively exploited flaw in MSHTML...

(a thread) 1/7

The June security update drop has a mere 49 new vulnerability fixes, plus five synchronized fixes delivered by Adobe.

Only five of Microsoft’s bug fixes are rated as critical. But that doesn’t lessen the importance of applying patches as soon as possible. 2/7

All five critical patches are for bugs that are potentially exploitable for remote code execution (RCE). And one of them, a vulnerability in the Windows MSHTML “platform”, is already being exploited. 3/7

Read 7 tweets

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Thank you for your support!