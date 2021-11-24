The security company Sophos detected a ransomware hitherto unheard of in the market. it is about the Memento, a scam that is able to circumvent traditional security mechanisms against this type of threat using an approach that is not normally used for harmful purposes.

Memento starts off acting like common malware, breaking into systems and stealing files. And he asks for a high ransom: the equivalent of $1 million in bitcoins to release the data and the infected machine.

It exploits an outdated security system and, to make matters worse, drops the file encryption method to take an approach that seems just as dangerous.

how does the memento work

Organized in Python starting in April of this year, the computer virus exploits a flaw in VMWare’s vSphere cloud computing virtualization platform. The criminals breached the server with a sneaky connection and used a tool known as Mimikatz, which steals Windows passwords.

But the second phase of the attack was only detected now in October. To “hijack” the data, Memento uses a modified service based on the WinRAR, the popular file compression program, to lock the data with a password and send it to its own server. This step circumvents eventual systems with an anti-encryption security and was later added by criminals as “plan b” of invasion based on this more rudimentary but equally efficient mechanism.

Sophos was able to detect and stop Memento and other attempts to exploit the same vulnerability at a partner company. Details of the Memento discovery were published in the survey “New Ransomware Actor Uses Password Protected Archives to Bypass Encryption Protection”. Click here to check the document (in English).