
New Ransomware Family "Ymir" Identified in Cybersecurity Investigation
/ 4 min read
Quick take - A new ransomware family named “Ymir” has been discovered, characterized by sophisticated tactics and tools used by attackers to infiltrate systems, reduce security, and encrypt files while generating ransom notes, highlighting the need for improved cybersecurity measures among organizations.
Fast Facts
- A new ransomware family named “Ymir” has been discovered, posing a sophisticated threat to organizations, with initial access gained via PowerShell commands.
- Attackers installed various malicious tools and significantly reduced system security before deploying Ymir, which uses the ChaCha20 algorithm for file encryption.
- The malware generates a ransom note in PDF format, falsely claiming data theft, and includes a hardcoded list of file extensions to exclude from encryption.
- A YARA rule has been created for real-time detection of Ymir, with Kaspersky identifying it as Trojan-Ransom.Win64.Ymir.gen, and indicators of compromise have been established.
- The investigation revealed potential geographical links to the attackers and highlighted the need for improved cybersecurity measures and incident response strategies.
New Ransomware Family “Ymir” Identified
A new ransomware family named “Ymir” has been identified following a recent incident response investigation, highlighting a sophisticated threat to various organizations.
Attack Vector and Initial Access
The attackers reportedly gained initial access to the victim’s systems through PowerShell remote control commands. Multiple malicious tools, including Process Hacker and Advanced IP Scanner, were installed by the attackers to facilitate their operations. Before deploying the Ymir ransomware, the attackers significantly reduced system security.
Analysis of Ymir’s Tactics
The analysis of Ymir’s tactics, techniques, and procedures (TTPs) reveals a range of evasion techniques. Operations were performed in memory using functions such as malloc
, memmove
, and memcmp
. Static analysis of the malware indicated that the binary is not packed, as evidenced by its low entropy. The binary imports several API functions commonly associated with ransomware, such as CryptAcquireContextA
and WinExec
. It utilizes code from the CryptoPP library for its cryptographic functions.
The malware is designed to gather system information through various API calls, including GetSystemTimeAsFileTime
and GetCurrentProcessId
. It employs execution restrictions, such as a parameter that disables the self-deletion of the binary. A hardcoded list of file extensions is included to exclude specific files from encryption. Dynamic analysis demonstrated extensive use of the memmove
function, which is critical for loading instructions and enumerating files for encryption purposes.
Ymir uses the ChaCha20 algorithm to encrypt files, appending the extension .6C5oy2dVr6
to the encrypted files. In every directory affected, a ransom note is generated in PDF format, instructing victims on how to contact the attackers. The ransom note claims that data has been stolen, despite the malware lacking network capabilities for actual data exfiltration. A comment in the Lingala language found within the malware hints at potential geographical links to the attackers.
Complications and Detection
The attackers’ operations were further complicated by the prior deployment of a RustyStealer threat. This initial malware, identified as a PE file named AudioDriver2.0.exe
, was executed two days before Ymir’s deployment. It was capable of gathering file system information and allowed the attackers to control the systems. They reportedly compromised a domain controller, which facilitated the infiltration of other systems. PowerShell scripts were executed to establish covert channels to external IP addresses, presumably for data exfiltration.
To combat this emerging threat, a YARA rule has been developed for real-time detection of the Ymir ransomware based on file types and relevant strings. Kaspersky products have identified Ymir as Trojan-Ransom.Win64.Ymir.gen
. Indicators of compromise have been established, including specific file hashes and associated IP addresses. The identification of a similar sample originating from Pakistan suggests that the attackers may be utilizing VPN or Tor for their operations. A test sample of the malware, which did not encrypt files or generate a ransom note, indicates that it was likely used for testing detection evasion.
The emergence of Ymir ransomware underscores the pressing need for organizations to enhance their cybersecurity measures and incident response strategies.
Original Source: Read the Full Article Here