The longer an infiltration goes undetected, the more attackers can infiltrate a network simultaneously and complicate mitigation.

In mid-April this year, an never-before-seen threat group had exploited a flaw in vSphere to gain a foothold on a server. Forensic evidence revealed that the attackers had started the main intrusion in early May 2021.

The attackers used the early months for lateral movement and reconnaissance, using the Remote Desktop Protocol, NMAP network scanner, Advanced Port Scanner, and Plink Secure Shell tunneling tool to set up an interactive connection with the breached server. The attackers also used mimikatz to harvest account credentials to use in later stages of the attack.

On 23 Oct, the python-based ransomware, subsequently named Memento, was deployed. The attackers initially tried to directly encrypt files, but security measures blocked this attempt. The attackers then changed tactics, re-tooled and re-deployed the ransomware. They copied unencrypted files into password-protected archives using a renamed free version of WinRaR, before encrypting the password and deleting the original files.

The attackers demanded a ransom of US$1m in Bitcoin in order to restore the files. The victim corporation was able to recover data without the involvement of the attackers.

Open entry points let in additional attackers

While the Memento attackers were in the victim’s network, two different attackers broke in via the same vulnerable access point, using similar exploits. These attackers each dropped cryptocurrency miners onto the same compromised server. One of them installed an XMR cryptominer on 18 May, while the other installed an XMRig cryptominer on 8 Sep, and again on 3 Oct.

Commenting on this, Sean Gallagher, Senior Threat Researcher, Sophos, the firm that sniffed out the ransomware,said: “Human-led ransomware attacks in the real world are rarely clear-cut and linear. Attackers seize opportunities when they find them or make mistakes, and then change tactics ‘on-the-fly.’ If they can make it into a target’s network, they won’t want to leave empty handed. We’ve seen this repeatedly—when internet-facing vulnerabilities become public and go unpatched, multiple attackers will quickly exploit them. The longer vulnerabilities go unmitigated, the more attackers they attract.”

Cybercriminals are continuously scanning the internet for vulnerable online entry points, and they do not wait in line when they find one, Gallagher said. Being breached by multiple attackers compounds disruption and recovery time for victims. “The Memento attack is a good example of this, and it serves as a critical reminder to use defense-in-depth security. Being able to detect ransomware and attempted encryption is vital, but it’s also important to have security technologies that can alert IT managers to other, unexpected, activity such as lateral movement,” he noted.

Memento learning points

Sophos believes this incident, where multiple attackers exploited a single unpatched server exposed to the internet, highlights the importance of quickly applying patches and checking with third-party integrators, contract developers or service providers about their software security.

The following general best practices can help organizations defend against emerging ransomware methods and related cyberattacks:

At the strategic Level, deploy layered protection: As more ransomware attacks begin to involve extortion, backups remain necessary, but insufficient. It is more important than ever to keep adversaries out in the first place, or to detect them quickly, before they cause harm. Use layered protection to block and detect attackers at as many points as possible across an estate.

At a routine tactical level:  

• Monitor and respond to alerts: Ensure the appropriate tools, processes, and resources (people) are available to monitor, investigate and respond to threats seen in the environment. Ransomware attackers often time their strike during off-peak hours, at weekends or during the holidays, on the assumption that few or no staff are watching
  
• Lock down accessible services: Perform network scans from the outside and identify and lock down the ports commonly used by VNC, RDP, or other remote access tools. If a machine needs to be reachable using a remote management tool, put that tool behind a VPN or zero-trust network access solution that uses MFA as part of its login
  
• Apply segmentation and Zero Trust policies: Separate critical servers from each other and from  workstations by putting them into separate VLANs and implement a ZTN security model.