Ransomware actors use WinRar for encryption

This year almost at the end of October a new ransomware group appeared with quite an unordinary encryption technique. “Memento Team” instead of encrypting files itself copies them into password-protected archives by using a retitled freeware version of the legitimate file utility WinRAR. Then the gang locks the archive with passwords and deletes original files. In the ransomware note criminals instruct victims to contact them via a Telegram account. The team of cybersecurity analysts provided a description of some of their client’s experience with the new ransomware.

WinRaR became the new ransomware tool

“The modifications to the ransomware changed its behavior to avoid detection of encryption activity. Instead of encrypting files, the “crypt” code now puts the files in unencrypted form into WinRaR archive files, using the copy of WinRAR, saving each file in its own archive with a .vaultz file extension. Passwords were generated for each file as it was archived. Then the passwords themselves were encrypted,” – SophosNews report.

The wording and formatting of the group`s ransomware note looks similar to that of the REvil ransomware gang. In addition, it threatens to leak the data if payments are not made. But unlike REvil payments were asked to be made in Bitcoin. The gang demanded 15.95 BTC (roughly $1 million US). That’s the sum for all files and they also offered varying price rates for different types of files, separately. The exact usage of WinRar archives with passwords is very similar to old jokes from ’00s. Then it was just pranks, but now these are real cyberattacks.

Ransomware actors use WinRar for encryption
One of the ransomware notes example

After almost six months secretly probing the victims’ network gang began their attack. Unluckily for them, the victim didn`t start the negotiation process. Targeted organizations previously made the backups of the encrypted files and could get back to rather normal work despite the attack. In general, 2021 year saw a significant rise in ransomware attacks and demanded payments. Below we provide you with a short excerpt of the most common trends for this year in this particular criminal ecosystem.

Ransomware 2021 year facts

These are just short sentences but they should give you the main points in the field. Ransomware started to spread itself to mobile phones thanks to mobile`s general more openness to malware. The majority of them cover the browser or an app with the ransom note making the device unusable. Due to the pandemic, most ransomware gangs projected their interests to vulnerable industries such as municipal facilities, schools and remote work employees. RaaS or Ransomware-as-a-service developed into quite an effective work business. It allows ransomware gangs to use already developed ransomware tools. The decentralized nature of the whole economy makes it difficult for the law enforcement agencies to successfully target them.

Ransomware evolves in its tactics and methods of work with several new quite effectively ransomware strains having made headlines. About some of them you surely have heard about. Conti, REvil, DarkSide and Netwalker change their behavior so the new detection methods need to be applied to continue the fight with them at the same level. And that makes some percent of success for the upgraded strains of ransomware as there could not be at that very moment help tools.

About Andy

Cybersecurity journalist from Montreal, Canada. Studied communication sciences at Universite de Montreal. I was not sure if a journalist job is what I want to do in my life, but in conjunction with technical sciences, it is exactly what I like to do. My job is to catch the most current trends in the cybersecurity world and help people to deal with malware they have on their PCs.

Check Also

Attackers usually don`t brut-force long passwords

Attackers usually don`t brute-force long passwords

Microsoft’s network of honeypot servers data showed that very few attacks targeted long and complex …

Another Windows zero day allows for admin privileges

Another Windows zero day allows for admin privileges

Researcher Abdelhamid Naceri who often reports on Windows bugs this time dropped a working proof-of-concept …

Leave a Reply