New Ymir ransomware companions with RustyStealer in assaults

A brand new ransomware household known as ‘Ymir’ has been noticed within the wild, encrypting techniques that have been beforehand compromised by the RustyStealer infostealer malware.

RustyStealer is a recognized malware household first documented in 2021, however its look with ransomware demonstrates one other instance of the current development of cybercrime operations working collectively.

In line with Kaspersky researchers who found Ymir throughout an incident response, the novel ransomware pressure is notable for its in-memory execution, use of the African Lingala language in a code remark, use of PDF information as ransom notes, and its extension configuration choices.

Though Kaspersky has discovered proof that Ymir connects to exterior servers that may facilitate information exfiltration, the ransomware doesn’t function such a functionality.

BleepingComputer has confirmed that the ransomware operation launchedin July 2024, when it began attacking firms worldwide.

Ymir follows RustyStealer infections

Kaspersky’s evaluation revealed that Rusty stealer had infiltrated a number of techniques inside the focused infrastructure two days earlier than Ymir’s deployment.

RustyStealer, primarily a credential-harvesting device, enabled attackers to achieve unauthorized entry to techniques by compromising reliable high-privilege accounts helpful in lateral motion.

Lateral motion throughout the community was facilitated utilizing instruments like Home windows Distant Administration (WinRM) and PowerShell for distant management. On the identical time, the attackers additionally put in instruments like Course of Hacker and Superior IP Scanner.

Subsequent, they executed scripts related to the SystemBC malware and established covert channels, probably for information exfiltration or command execution, with the attackers’ infrastructure.

After solidifying the foothold and probably additionally stealing information utilizing RustyStealer, Ymir ransomware was dropped as the ultimate payload.

Ymir is a novel Home windows ransomware pressure that operates completely from reminiscence, leveraging capabilities like ‘malloc,’ ‘memove,’ and ‘memcmp,’ to evade detection.

Upon launch, it performs system reconnaissance by getting the system date and time, figuring out operating processes, and checking the system uptime, which will help decide whether or not it runs on a sandbox.

Subsequent, it skips file extensions based mostly on a hardcoded checklist to keep away from rendering the system unbootable.

Ymir makes use of the ChaCha20 stream cipher, a complicated and quick encryption algorithm, to encrypt information on the sufferer’s system.

Encrypted information are appended with a random extension, like “.6C5oy2dVr6,” and a ransom be aware named “INCIDENT_REPORT.pdf” is generated from the “.data” part of the Ymir binary in all directories containing encrypted information.

Ymir ransom note
Ymir ransom be aware
Supply: BleepingComputer

The ransomware will even modify the Home windows Registry “legalnoticecaption” worth to point out an extortion demand earlier than a person logs in to an encrypted gadget.

The ransom be aware claims that information was stolen from the sufferer’s system, and Kaspersky hypothesizes that this may need occurred utilizing instruments deployed previous to Ymir.

Lastly, Ymir scans the system for the presence of PowerShell and leverages it to delete its executable to evade identification and evaluation.

Ymir's execution process
Ymir’s execution course of
Supply: Kaspersky

Ymir has not established an information leak website but, however it could possibly be that the menace actors have simply began accumulating sufferer information.

Kaspersky warns that Ymir’s use of knowledge stealers as entry brokers may rapidly make this new ransomware household a widespread menace.

Recent articles