www.cybersecurityconnect.com.au
Open in
urlscan Pro
2606:4700:3030::6815:2ff5
Public Scan
Submitted URL: https://t.co/xSDlx9mQKw
Effective URL: https://www.cybersecurityconnect.com.au/commercial/7349-sophos-identifies-new-memento-ransomware
Submission: On November 22 via api from US — Scanned from DE
Effective URL: https://www.cybersecurityconnect.com.au/commercial/7349-sophos-identifies-new-memento-ransomware
Submission: On November 22 via api from US — Scanned from DE
Form analysis 3 forms found in the DOM
POST /search
<form class="b-mobile-search__form" action="/search" method="post">
<label for="mod-search-searchword"></label>
<input id="b-mobile-search__form__search-box" onfocus="this.placeholder = ''" onblur="this.placeholder = 'Search Keyword'" class="b-search__form__search-box" name="searchword" maxlength="100" type="search" placeholder="Search Keyword">
<input type="hidden" name="task" value="search">
<input type="hidden" name="option" value="com_search">
<input type="hidden" name="Itemid" value="">
<button id="b-mobile-search__form__button" class="b-search__form__button"><i class="fa fa-search b-search__form__button__img" aria-hidden="true" style="font-size:20px;"></i></button>
</form><form class="ccomment-form control-group ccomment-new-comment">
<div class="ccomment-error-form row-fluid hide">
<div class="alert alert-error">
</div>
</div>
<div class="row-fluid margin-bottom">
<div class="comments-avatar hidden-phone">
<img class="ccomment-avatar-form" src="https://www.cybersecurityconnect.com.au/media/com_comment/images/noavatar.png">
</div>
<div class="comments-input">
<div style="padding: 0px; margin: 0px; border: 0px; height: auto; width: auto;"><textarea name="comment" class="ccomment-textarea span12 required" cols="5" tabindex="1" rows="1" placeholder="Join the discussion"
style="resize: none; position: relative; display: block; overflow: hidden; height: 0px;"></textarea></div>
<div class="ccomment-form-ubb">
<div class="ccomment-emoticons hide">
<span data-open=":D">
<img src="/media/com_comment/emoticons/default/images/icon_biggrin.gif" border="0" alt=":D" title=":D">
</span>
<span data-open=":)">
<img src="/media/com_comment/emoticons/default/images/icon_smile.gif" border="0" alt=":)" title=":)">
</span>
<span data-open=":(">
<img src="/media/com_comment/emoticons/default/images/icon_sad.gif" border="0" alt=":(" title=":(">
</span>
<span data-open=":0">
<img src="/media/com_comment/emoticons/default/images/icon_surprised.gif" border="0" alt=":0" title=":0">
</span>
<span data-open=":shock:">
<img src="/media/com_comment/emoticons/default/images/icon_eek.gif" border="0" alt=":shock:" title=":shock:">
</span>
<span data-open=":confused:">
<img src="/media/com_comment/emoticons/default/images/icon_confused.gif" border="0" alt=":confused:" title=":confused:">
</span>
<span data-open="8)">
<img src="/media/com_comment/emoticons/default/images/icon_cool.gif" border="0" alt="8)" title="8)">
</span>
<span data-open=":lol:">
<img src="/media/com_comment/emoticons/default/images/icon_lol.gif" border="0" alt=":lol:" title=":lol:">
</span>
<span data-open=":x">
<img src="/media/com_comment/emoticons/default/images/icon_mad.gif" border="0" alt=":x" title=":x">
</span>
<span data-open=":P">
<img src="/media/com_comment/emoticons/default/images/icon_razz.gif" border="0" alt=":P" title=":P">
</span>
<span data-open=":oops:">
<img src="/media/com_comment/emoticons/default/images/icon_redface.gif" border="0" alt=":oops:" title=":oops:">
</span>
<span data-open=":cry:">
<img src="/media/com_comment/emoticons/default/images/icon_cry.gif" border="0" alt=":cry:" title=":cry:">
</span>
<span data-open=":evil:">
<img src="/media/com_comment/emoticons/default/images/icon_evil.gif" border="0" alt=":evil:" title=":evil:">
</span>
<span data-open=":twisted:">
<img src="/media/com_comment/emoticons/default/images/icon_twisted.gif" border="0" alt=":twisted:" title=":twisted:">
</span>
<span data-open=":roll:">
<img src="/media/com_comment/emoticons/default/images/icon_rolleyes.gif" border="0" alt=":roll:" title=":roll:">
</span>
<span data-open=":wink:">
<img src="/media/com_comment/emoticons/default/images/icon_wink.gif" border="0" alt=":wink:" title=":wink:">
</span>
<span data-open=":!:">
<img src="/media/com_comment/emoticons/default/images/icon_exclaim.gif" border="0" alt=":!:" title=":!:">
</span>
<span data-open=":?:">
<img src="/media/com_comment/emoticons/default/images/icon_question.gif" border="0" alt=":?:" title=":?:">
</span>
<span data-open=":idea:">
<img src="/media/com_comment/emoticons/default/images/icon_idea.gif" border="0" alt=":idea:" title=":idea:">
</span>
<span data-open=":arrow:">
<img src="/media/com_comment/emoticons/default/images/icon_arrow.gif" border="0" alt=":arrow:" title=":arrow:">
</span>
</div>
<div class="ccomment-ubb-container">
<span class="ccomment-toggle-emoticons">
<img src="https://www.cybersecurityconnect.com.au//media/com_comment/images/emoticon.png" alt="emoticons">
</span>
<span class="ccomment-ubb" data-open="[b]" data-close="[/b]">
<img src="https://www.cybersecurityconnect.com.au/media/com_comment/ubb/ubb_bold.gif" name="bb" alt="[b]">
</span>
<span class="ccomment-ubb" data-open="[i]" data-close="[/i]">
<img src="https://www.cybersecurityconnect.com.au/media/com_comment/ubb/ubb_italicize.gif" name="bi" alt="[i]">
</span>
<span class="ccomment-ubb" data-open="[u]" data-close="[/u]">
<img src="https://www.cybersecurityconnect.com.au/media/com_comment/ubb/ubb_underline.gif" name="bu" alt="[u]">
</span>
<span class="ccomment-ubb" data-open="[s]" data-close="[/s]">
<img src="https://www.cybersecurityconnect.com.au/media/com_comment/ubb/ubb_strike.gif" name="bs" alt="[s]">
</span>
<span class="ccomment-ubb" data-open="[url=" data-close="][/url]" data-placeholder="Enter your title here">
<img src="https://www.cybersecurityconnect.com.au/media/com_comment/ubb/ubb_url.gif" name="burl" alt="[url]">
</span>
<span class="ccomment-ubb" data-open="[quote]" data-close="[/quote]">
<img src="https://www.cybersecurityconnect.com.au/media/com_comment/ubb/ubb_quote.gif" name="bquote" alt="[quote]">
</span>
<span class="ccomment-ubb" data-open="[code]" data-close="[/code]">
<img src="https://www.cybersecurityconnect.com.au/media/com_comment/ubb/ubb_code.gif" name="bcode" alt="[code]">
</span>
<select name="menuColor" class="select input-small">
<option>color</option>
<option data-open="[color=aqua]" data-close="[/color]">aqua</option>
<option data-open="[color=black]" data-close="[/color]">black</option>
<option data-open="[color=blue]" data-close="[/color]">blue</option>
<option data-open="[color=fuchsia]" data-close="[/color]">fuchsia</option>
<option data-open="[color=gray]" data-close="[/color]">gray</option>
<option data-open="[color=green]" data-close="[/color]">green</option>
<option data-open="[color=lime]" data-close="[/color]">lime</option>
<option data-open="[color=maroon]" data-close="[/color]">maroon</option>
<option data-open="[color=navy]" data-close="[/color]">navy</option>
<option data-open="[color=olive]" data-close="[/color]">olive</option>
<option data-open="[color=purple]" data-close="[/color]">purple</option>
<option data-open="[color=red]" data-close="[/color]">red</option>
<option data-open="[color=silver]" data-close="[/color]">silver</option>
<option data-open="[color=teal]" data-close="[/color]">teal</option>
<option data-open="[color=white]" data-close="[/color]">white</option>
<option data-open="[color=yellow]" data-close="[/color]">yellow</option>
</select>
<select name="menuSize" class="select input-small">
<option>-size-</option>
<option data-open="[size=10px]" data-close="[/size]">tiny</option>
<option data-open="[size=12px]" data-close="[/size]">small</option>
<option data-open="[size=16px]" data-close="[/size]">medium</option>
<option data-open="[size=20px]" data-close="[/size]">large</option>
<option data-open="[size=24px]" data-close="[/size]">huge</option>
</select>
</div>
</div>
</div>
<div class="comments-input ccomment-actions hide">
</div>
</div>
<div class="row-fluid ccomment-user-info hide comments-inputname">
<div class="comments-inputname__input ">
<input name="name" class="ccomment-name span12 no-margin required nonEmpty" type="text" value="" placeholder="Enter your name*" tabindex="2" style="margin-bottom:5px !important">
<span class="help-block pull-right small muted">Displayed next to your comments.</span>
</div>
</div>
<div class="row-fluid ccomment-actions hide">
<div class="b-comment-submit">
<div class="b-comment-submit__wrapper">
<div class="b-comment-submit__wrapper__person">
<span style="padding-right:5px">Commenting as</span>
<button id="ccomment-posting-as" type="button" class="b-comment-submit__wrapper__person__button ccomment-posting-as">Anonymous</button>
</div>
<button type="button" class="b-comment-submit__wrapper__change ccomment-posting-as">Change</button>
<button type="submit" class="b-comment-submit__wrapper__send ccomment-send" data-message-enabled="Comment" data-message-disabled="Saving..." tabindex="7" name="bsend"> Comment </button>
</div>
<p>Cyber Security Connect encourages respectful, challenging and constructive debate. We welcome your opinions if they are focused on the subject and ideas at hand. Comments which are defamatory, hostile, obscene or prejudicial will not be
published.</p>
</div>
</div>
<input type="hidden" name="contentid" value="7349">
<input type="hidden" name="component" value="com_content">
</form>Name: mc-embedded-subscribe-form — POST /subscribe
<form action="/subscribe" method="post" id="mc-embedded-subscribe-form" name="mc-embedded-subscribe-form">
<input type="hidden" value="AA" name="MMCOMP" id="mce-MMCOMP">
<div class="f-all-left w-all-60p">
<input type="email" value="" name="EMAIL" placeholder="Your email address" class="resetIpt bc-all-FFF lh-all-50px p-all-015px w-all-100p cl-all-4D4C51 fs-all-14px" id="mce-EMAIL" required="" data-original-title="" title="">
</div>
<div class="f-all-left w-all-40p">
<input type="submit" value="SUBSCRIBE" name="subscribe" id="mc-embedded-subscribe" class="btn-footer-subscribe email-button resetBtn cl-all-FFF lh-all-50px w-all-100p tt-all-uppercase opc-all-hover-0d7 fs-all-14px fw-bold">
</div>
</form>Text Content
Powered by MOMENTUM MEDIA Breaking news and updates daily. Subscribe to our Newsletter! * Commercial * Defence * Policy * Critical Infrastructure * Industry * Strategy * Technology * News * Insights * Opinion * About * Advertise * Contact Powered by MOMENTUM MEDIA Powered by MOMENTUM MEDIA Breaking news and updates daily. Subscribe to our newsletter * * Commercial * Defence * Policy * Critical Infrastructure * Industry * Strategy * Technology * News * Podcast * Insights * Opinion * * Commercial * Defence * Policy * Critical Infrastructure * Industry * Strategy * Technology * News * Podcast * Insights * Opinion * * Home / * Commercial / * Memento ransomware threat actors demand $1m in bitcoin from victims MEMENTO RANSOMWARE THREAT ACTORS DEMAND $1M IN BITCOIN FROM VICTIMS By Nastasha Tupas 19 November 2021 | 1 minute read SHARE THIS ARTICLE Share this article on: × Facebook Twitter LinkedIn Copy link Sophos has released details of a new Python ransomware called Memento. The research, titled New Ransomware Actor Uses Password Protected Archives to Bypass Encryption Protection, describes the attack, which locks files in a password-protected archive if the Memento ransomware can’t encrypt the targeted data. Human-led ransomware attacks in the real world are rarely clear cut and linear, according to Sean Gallagher, senior threat researcher at Sophos. Advertisement Advertisement “Attackers seize opportunities when they find them or make mistakes, and then change tactics ‘on-the-fly'." "If they can make it into a target’s network, they won’t want to leave empty-handed." "The Memento attack is a good example of this, and it serves as a critical reminder to use defence-in-depth security," Gallagher said. PROMOTED CONTENT Attack timeline Sophos researchers believe the Memento operators breached the target’s network in mid-April 2021. The attackers exploited a flaw in VMware’s vSphere, an internet facing cloud computing virtualisation tool, to gain a foothold on a server, and the forensic evidence Sophos researchers found indicates the attackers started the main intrusion in early May 2021. The attackers used the early months for lateral movement and reconnaissance, using the Remote Desktop Protocol (RDP), NMAP network scanner, advanced port scanner and Plink Secure Shell (SSH) tunneling tool to set up an interactive connection with the breached server. The attackers also used Mimikatz to harvest account credentials to use in later stages of the attack. According to Sophos researchers, on 20 October 2021, the attackers used the legitimate tool WinRAR to compress a collection of files and exfiltrate them via RDP. Release of the ransomware The attacker first deployed the ransomware on 23 October 2021 and Sophos researchers found that the attackers initially tried to directly encrypt files, but security measures blocked this attempt. The attackers then changed tactics, retooled and redeployed the ransomware. They copied unencrypted files into password-protected archives using a renamed free version of WinRAR, before encrypting the password and deleting the original files. The attackers demanded a ransom of $1 million in bitcoin in order to restore the files. Fortunately, the target was able to recover data without the involvement of the attackers. Open entry points let in additional attackers While the Memento attackers were in the target’s network, two different attackers broke in via the same vulnerable access point, using similar exploits. These attackers each dropped cryptocurrency miners onto the same compromised server. One of them installed an XMR crypto miner on 18 May while the other installed an XMRig cryptominer on 8 September and again on 3 October. According to Gallagher, the longer vulnerabilities go unmitigated, the more attackers these attract. “We’ve seen this repeatedly – when internet-facing vulnerabilities become public and go unpatched, multiple attackers will quickly exploit them," Gallagher said. Security advice Sophos researchers believe this incident, where multiple attackers exploited a single unpatched server exposed to the internet, highlights the importance of quickly applying patches and checking with third-party integrators, contract developers or service providers about their software security. Following general best practices to help defend against ransomware and related cyber attacks is also recommended: At a strategic level Deploy layered protection. As more ransomware attacks begin to involve extortion, backups remain necessary, but insufficient. It is more important than ever to keep adversaries out in the first place, or to detect these quickly, before these cause harm. Use layered protection to block and detect attackers at as many points as possible across an estate. Combine human experts and anti-ransomware technology. The key to stopping ransomware is defence-in-depth that combines dedicated anti-ransomware technology and human-led threat hunting. Technology provides the scale and automation an organisation needs, while human experts are best able to detect the telltale tactics, techniques and procedures that indicate an attacker is attempting to get into the environment. If organisations don’t have the skills in-house, they can enlist support from cyber security specialists. At a day-to-day tactical level Monitor and respond to alerts. Ensure the appropriate tools, processes, and resources (people) are available to monitor, investigate and respond to threats seen in the environment. Ransomware attackers often time their strike during off-peak hours, at weekends or during the holidays, on the assumption that few or no staff are watching. * Set and enforce strong passwords. Strong passwords serve as one of the first lines of defence. Passwords should be unique or complex and never re-used. This is easier to accomplish with a password manager that can store staff credentials. * Use multi-factor authentication (MFA). Even strong passwords can be compromised. Any form of multi-factor authentication is better than none for securing access to critical resources such as e-mail, remote management tools and network assets. * Lock down accessible services. Perform network scans from the outside and identify and lock down the ports commonly used by VNC, RDP or other remote access tools. If a machine needs to be reachable using a remote management tool, put that tool behind a VPN or zero-trust network access solution that uses MFA as part of its login. * Practice segmentation and zero-trust. Separate critical servers from each other and from workstations by putting these into separate VLANs as you work towards a zero-trust network model. * Make offline backups of information and applications. Keep backups up to date, ensure their recoverability and keep a copy offline. * Inventory your assets and accounts. Unknown, unprotected and unpatched devices in the network increase risk and create a situation where malicious activities could pass unnoticed. It is vital to have a current inventory of all connected compute instances. Use network scans, IaaS tools and physical checks to locate and catalogue these and install end point protection software on any machines that lack protection. * Make sure security products are correctly configured. Under-protected systems and devices are vulnerable too. It is important that you ensure security solutions are configured properly and to check and, where necessary, validate and update security policies regularly. New security features are not always enabled automatically. Don’t disable tamper protection or create broad detection exclusions as doing so will make an attacker’s job easier. * Audit Active Directory (AD). Conduct regular audits on all accounts in AD, ensuring that none have more access than is needed for their purpose. Disable accounts for departing employees as soon as they leave the company. * Patch everything. Keep Windows and other operating systems and software up to date. This also means double checking that patches have been installed correctly and are in place for critical systems like internet-facing machines or domain controllers. Detecting ransomware and attempted encryption is vital, but it’s also important to have security technologies that can alert IT managers to other unexpected activity such as lateral movement, according to Gallagher. "Being breached by multiple attackers compounds disruption and recovery time for victims." "It also makes it harder for forensic investigations to unpick and resolve who did what, which is important intelligence for threat responders to collect to help organisations prevent additional repeat attacks,” Gallagher said. “Cyber criminals are continuously scanning the internet for vulnerable online entry points, and they don’t wait in line when they find one." [Related: Defence industry and militaries need better network support for disconnected operations, report finds] NASTASHA TUPAS Nastasha is a Journalist at Momentum Media, she reports extensively across veterans affairs, cyber security and geopolitics in the Indo-Pacific. Previously, she was a Content Producer at Verizon Media, a Digital Producer for Yahoo! and Channel 7, a Digital Journalist at Sky News Australia, as well as a Website Manager and Digital Producer at SBS Australia. She started her career in media as a Video Producer and Digital News Presenter at News Corp Australia. Memento ransomware threat actors demand $1m in bitcoin from victims Nastasha Tupas Last Updated: 19 November 2021 Published: 19 November 2021 0 COMMENTS color aqua black blue fuchsia gray green lime maroon navy olive purple red silver teal white yellow -size- tiny small medium large huge Displayed next to your comments. Commenting as Anonymous Change Comment Cyber Security Connect encourages respectful, challenging and constructive debate. We welcome your opinions if they are focused on the subject and ideas at hand. Comments which are defamatory, hostile, obscene or prejudicial will not be published. * There are no comments yet. RELATED CONTENT -------------------------------------------------------------------------------- Report reveals cloud innovation, efficiency and growth critical to corporate strategy READ MORE Threat report reveals 3 new RAT variants running rampant READ MORE Emotet: World’s most dangerous malware returns READ MORE LATEST -------------------------------------------------------------------------------- Report reveals cloud innovation, efficiency and growth critical to corporate strategy READ MORE Memento ransomware threat actors demand $1m in bitcoin from victims READ MORE AIML and DEWC partner on AI and machine learning to enhance RF signal detection READ MORE PROMOTED Securing Sovereign Intuition READ MORE Cyber threats to networks: What every CISO should know READ MORE Guardians of the new galaxies READ MORE newsletter Be the first to hear the latest developments in the cyber security industry. Subscribe now LATEST OPINION Security teams spend as much time on false positives as they do on actual attacks READ MORE The great cyber security talent migration has begun, here’s what you can do READ MORE How Australia can win the cyber security war READ MORE LATEST INSIGHTS State sanctioned (cyber) violence, Australia’s next security threat READ MORE Drawing a line in the sand for cyber conflict READ MORE Automation: The future of the combat vehicle? READ MORE latest comments most read Geoffrey Mee Alsrming incompetence, and by whom. One would think each agency, now well alerted to lift their game in what is a seriously exposed and brittle...... 3 weeks ago. read article Errol Abrahams Good article-Errol A.... 3 weeks ago. read article Aminta Hennessy I would have thought that cyber security was of paramount importance to Australia. Number 1 priority for the Government to safeguard AUKUS and ALL...... 4 weeks ago. read article Anonymous Cyber security breaches have become very common these days and it is really scary to see governments being attacked! DDoS protection does seem to help...... 4 weeks ago. read article Sharath It is scary how these cyber risks are rising every second with the popularity of the internet. We should get the best DDoS protection service from...... 4 weeks ago. read article 1 Proofpoint ID's 'Balikbayan Foxes', a new cyber criminal threat actor read more 2 PODCAST: Navigating the cyber security market – with Daniel Lai, founder and CEO of archTIS read more 3 Allectum, SANS Institute launch Veterans Cyber Academy Scholarship for 2022 read more 4 NSW government cyber security audit returns poor results read more 5 Building sovereign resilience into Australian technology supply chains read more * Commercial * Defence * Policy * Critical Infrastructure * Industry * Strategy * Technology OUR PLATFORMS AND BRANDS * Accountants Daily * Adviser Innovation * Australian Aviation * Cyber Security Connect * Defence Connect * Fintech Business * Independent Financial Adviser * Investor Daily * Lawyers Weekly * Mortgage Business * MyBusiness * Nestegg * Real Estate Business * Smart Property Investment * SMSF Adviser * Space Connect * The Adviser * Wellness Daily * Which Investment Property * World of Aviation EVENTS AND STREAMING * Accountants Daily 30 Under 30 Awards * Accountants Daily Strategy Week * Adviser Innovation Summit * Australian Accounting Awards * Australian Broking Awards * Australian Defence Industry Awards * Australian Law Awards * Australian Space Awards * Better Business Awards * Better Business Summit * Boutique Law Summit * Business Accelerator Program * Corporate Counsel Awards * Corporate Counsel Summit * Defence Connect Budget Lunch * ifa Business Strategy Day * ifa Client Experience Workshop * ifa Excellence Awards * Lawyers Weekly 30 Under 30 Awards * Lawyers Weekly Masterclass Series * My Business Awards * New Broker Academy * Partner of the Year Awards * REB Awards * SME Broker Bootcamp * SMSF Adviser Technical Masterclass * The Adviser Study Tour * Women in Finance Awards * Women in Law Awards * Women in Real Estate Awards * Wraps, Platforms and Masterfunds KNOWLEDGE CENTRES * AccountantsDaily Knowledge Centre * ifa Knowledge Centre * Lawyers Weekly Knowledge Centre * Mortgage Business Premium * MyBusiness Knowledge Centre * The Adviser Knowledge Centre STAY CONNECTED Be the first to hear the latest developments in the cyber security industry. * * * * LINKS * About us * Advertise * Contact * Sitemap Copyright © 2021 MOMENTUMMEDIA OUR PLATFORMS AND BRANDS * Accountants Daily * Adviser Innovation * Australian Aviation * Cyber Security Connect * Defence Connect * Fintech Business * Independent Financial Adviser * Investor Daily * Lawyers Weekly * Mortgage Business * MyBusiness * Nestegg * Real Estate Business * Smart Property Investment * SMSF Adviser * Space Connect * The Adviser * Wellness Daily * Which Investment Property * World of Aviation EVENTS AND SUMMITS * Accountants Daily 30 Under 30 Awards * Accountants Daily Strategy Week * Adviser Innovation Summit * Australian Accounting Awards * Australian Broking Awards * Australian Defence Industry Awards * Australian Law Awards * Australian Space Awards * Better Business Awards * Better Business Summit * Boutique Law Summit * Business Accelerator Program * Corporate Counsel Awards * Corporate Counsel Summit * Defence Connect Budget Lunch * ifa Business Strategy Day * ifa Client Experience Workshop * ifa Excellence Awards * Lawyers Weekly 30 Under 30 Awards * Lawyers Weekly Masterclass Series * My Business Awards * New Broker Academy * Partner of the Year Awards * REB Awards * SME Broker Bootcamp * SMSF Adviser Technical Masterclass * The Adviser Study Tour * Women in Finance Awards * Women in Law Awards * Women in Real Estate Awards * Wraps, Platforms and Masterfunds KNOWLEDGE CENTRES * AccountantsDaily Knowledge Centre * ifa Knowledge Centre * Lawyers Weekly Knowledge Centre * Mortgage Business Premium * MyBusiness Knowledge Centre * The Adviser Knowledge Centre LINKS * About us * Advertise * Contact * Copyright & Disclaimers * Privacy Policy * Sitemap CATEGORIES * News * Insights * Opinion * Events * Contact STAY CONNECTED SUBSCRIBE NOW * * * * Copyright © 2021 MOMENTUMMEDIA