New ransomware locks files with password if prevented from taking action – Nairobi Times

A new category of ransomware, called Memento, is able to lock files with a password if prevented from encrypting compromised data. The plague appears as yet another way for scammers to bypass protection systems against digital hijacking attacks, adopting a new method of capturing information and demanding up to $1 million in cryptocurrencies as ransom.

The warning about the new attacks was made by Sophos specialists, who indicate an operation that began in May this year. Criminals have spent more than five months infiltrating a victim’s network, moving sideways and recognizing a server’s infrastructure in order to obtain account credentials and set up remote connections; the actual crash of the data took place at the end of October.

The format is even simple, with the plague developed in Python running WinRAR, in its free version, to encrypt files with a password, while the originals were remotely deleted. The ransom request was not granted by the company, whose name was not released, but was able to recover its data without having to contact criminals.

Want to catch up on the best tech news of the day? Access and subscribe to our new youtube channel, Kenyannews News. Every day a summary of the main news from the tech world for you!

The report released by Sophos brings more details about the attack, which was made possible by a flaw in VMWare’s vSphere system. The breach was exploited not only by the criminals responsible for the Memento, but also by two other attackers who deployed cryptocurrency miners on the vulnerable servers; in the second case, there were two different installations, first in September and then in October, when the previous one was detected.

“Criminals are constantly scouring the internet for entry points and don’t wait in line when they find them. We’ve seen cases like this many times before,” says Sean Gallagher, senior threat researcher at Sophos. According to him, in this case, intrusions by different attackers increased the recovery time, as well as the detection of the perpetrators.

The reason behind the attacks was the lack of update, as in all cases, a fix for the vulnerability was already available when it was used. “When vulnerabilities become public and are not fixed, criminals exploit them quickly”, adds the researcher, indicating the need for quick updates, especially in the case of critical failures, so that corporations do not become the target of multiple attack groups simultaneously.

Change of plans

The discovery of Memento also brought with it the idea that attackers were able to dynamically change the path of exploitation during the attack. According to Sophos, after using different tools for lateral movement and recognition, the encryption application was blocked by security systems. Hence the use of WinRAR, creating files protected by a password.

“Intruders seize opportunities when they find them and change tactics instantly when they make mistakes. If they manage to penetrate a target’s network, they won’t want to leave empty-handed,” adds Gallagher. According to him, cases of this type reinforce the need for an in-depth protection, capable of detecting ransomware and its encryption attempts, but also other unexpected activities on the network.

Investing in monitoring systems and alerts to administrators, for example, is an important step in this strategy, along with the proper configuration of protection platforms. These elements go hand in hand with best practices such as using strong passwords, multi-factor authentication and installing updates, as well as performing backups to ensure recovery in the event of a compromise.

Finally, Sophos recommends the use of segmentation systems, which can isolate compromised portions of the network and avoid lateral movement, as well as audits and inventories that allow keeping control of access and connected devices. Zero-trust initiatives also help keep systems secure at all times.