Security News > 2021 > November > New Memento ransomware switches to WinRar after failing at encryption
A new ransomware group called Memento takes the unusual approach of locking files inside password-protected archives after their encryption method kept being detected by security software.
After the reconnaissance stage, the actors used WinRAR to create an archive of the stolen files and exfiltrate it.
Memento's original attempts at encrypted files as the systems had anti-ransomware protection, causing the encryption step to be detected and stopped before any damage was done.
To overcome the detection of commodity ransomware by security software, Memento came up with an interesting tactic - skip encryption altogether and move files into password-protected archives.
To do this, the group now moves files into WinRAR archives, sets a srong password for access protection, encrypts that key, and finally deletes the original files.
"Instead of encrypting files, the"crypt" code now put the files in unencrypted form into archive files, using the copy of WinRAR, saving each file in its own archive with a.vaultz file extension," explains Sophos analyst Sean Gallagher.