Following the discovery of its encryption method via security tools, a new ransomware organization known as Memento took the unique strategy of encrypting files within password-protected directories. The group began operating last month, gaining initial access into victims' networks by abusing a VMware vCenter Server web client flaw. 

CVE-2021-21971 has been assigned to the vCenter bug. Anybody with remote access to TCP/IP port 443 on an unsecured vCenter server could execute admin commands upon that underlying OS. Despite the fact that a solution to this issue was provided in February, many businesses have still yet to update their installations. 

Memento has been leveraging this flaw since April, and a different actor was discovered exploiting it in May to install XMR miners via PowerShell commands. 

Memento commenced its ransomware operations last month by harvesting administrator credentials from the targeted system via vCenter, creating persistence via planned activities, and afterward spreading laterally across the network via RDP via SSH. Throughout the reconnaissance phase, the actors utilized WinRAR to create and exfiltrate a file archive containing the stolen files. 

Ultimately, they used Jetico's BCWipe data cleaning application to eliminate any leftover traces before encrypting the data employing AES using a Python-based ransomware strain. 

Nevertheless, because the PCs lacked anti-ransomware security, Memento's initial attempts to encrypt information were detected and halted even before the damage had been done. 

Memento found a revolutionary approach to avoid identification by security software of inexpensive ransomware: completely bypass encryption and move files into password-protected archives. To accomplish this, the group compresses files in WinRAR archives, generates a complex yet strong password for access security, encodes the key, and afterward deletes the original files. 

According to Sophos analyst Sean Gallagher, the "crypt" method now saves each document in an archive using a.vaultz file extension rather than encrypting the data. Passwords were created as each file was archived. The passwords were then encoded. 

As per the ransom note, the victim must pay 15.95 BTC ($940,000) for the entire recovery or 0.099 BTC ($5,850) per file. 

In the situations reviewed by Sophos, such extortion attempts won't result in a ransom payment as victims utilized existing backups to recover the data. Memento, on the other hand, is a new organization that has lately discovered a successful novel strategy. As a result, they'll almost certainly put it to the test against other organizations.