New Ransomware Family 'Ymir' Discovered by Kaspersky Researchers
/ 3 min read
Quick take - A new ransomware family named ‘Ymir’ has been identified by Kaspersky researchers, operating in conjunction with the RustyStealer infostealer malware, and poses a potential threat to global companies by exploiting previously compromised systems.
Fast Facts
- A new ransomware family named ‘Ymir’ has been discovered by Kaspersky, operating alongside the RustyStealer infostealer malware.
- Ymir specifically targets systems previously compromised by RustyStealer, which infiltrates networks to harvest credentials.
- The ransomware operates entirely from memory, using advanced evasion techniques and the ChaCha20 stream cipher for file encryption.
- Ymir generates a ransom note claiming stolen information and modifies the Windows Registry to display an extortion demand before user login.
- Kaspersky warns that the combination of information stealers like RustyStealer and ransomware like Ymir poses a significant threat to companies globally.
New Ransomware Family ‘Ymir’ Emerges
A new ransomware family, identified as Ymir, has emerged in the cybercrime landscape. Kaspersky researchers discovered Ymir during an incident response investigation. This ransomware is notable for its operation alongside the RustyStealer infostealer malware, which is a credential-harvesting tool first documented in 2021. The collaboration between Ymir and RustyStealer highlights a troubling trend in cybercrime operations.
Targeting Compromised Systems
Ymir specifically targets systems previously compromised by RustyStealer. RustyStealer infiltrates networks to gain unauthorized access, and Kaspersky’s analysis revealed that it breached targeted systems two days before Ymir’s deployment. Attackers use legitimate high-privilege accounts to facilitate lateral movement within networks, employing tools such as Windows Remote Management (WinRM) and PowerShell for remote control. Other tools like Process Hacker and Advanced IP Scanner aid their operations. Scripts associated with the SystemBC malware are executed to establish covert channels for potential data exfiltration or command execution.
Once attackers secure access to a system, Ymir is deployed as the final payload. Ymir operates entirely from memory, using functions like malloc, memmove, and memcmp to evade detection. Upon execution, Ymir performs system reconnaissance, checking system dates, identifying running processes, and assessing system uptime.
Encryption and Ransom Note
Ymir is programmed to avoid encrypting files with certain extensions to prevent critical system boot issues. It utilizes the ChaCha20 stream cipher for encrypting files, known for its speed and security. Encrypted files are assigned a random extension, such as .6C5oy2dVr6. A ransom note titled “INCIDENT_REPORT.pdf” is generated in directories containing these files, claiming that information was stolen from the victim’s system. This likely indicates that tools deployed prior to Ymir’s activation facilitated data theft.
To further its evasion tactics, Ymir modifies the Windows Registry, changing the “legalnoticecaption” value to display an extortion demand before user login. Ymir also scans for PowerShell on the system and deletes its own executable to hinder detection and analysis.
Current Status and Future Concerns
As of now, Ymir has not established a data leak site, suggesting that the threat actors may be in the early stages of accumulating victim data. BleepingComputer has confirmed that the Ymir ransomware operation began in July 2024, targeting companies globally. Kaspersky has issued warnings about the potential threat posed by the combination of information stealers like RustyStealer and ransomware such as Ymir, indicating that this combination could become a significant concern in the near future.
Original Source: Read the Full Article Here
