Cybersecurity researchers have flagged a brand new ransomware household referred to as Ymir that was deployed in an assault two days after techniques have been compromised by a stealer malware referred to as RustyStealer.
“Ymir ransomware introduces a unique combination of technical features and tactics that enhance its effectiveness,” Russian cybersecurity vendor Kaspersky stated.
“Threat actors leveraged an unconventional blend of memory management functions – malloc, memmove, and memcmp – to execute malicious code directly in the memory. This approach deviates from the typical sequential execution flow seen in widespread ransomware types, enhancing its stealth capabilities.”
Kaspersky stated it noticed the ransomware utilized in a cyber assault focusing on an unnamed group in Colombia, with the menace actors beforehand delivering the RustyStealer malware to assemble company credentials.
It is believed that the stolen credentials have been used to realize unauthorized entry to the corporate’s community as a way to deploy the ransomware. Whereas there usually exists a hand-off between an preliminary entry dealer and the ransomware crew, it is not clear if that is the case right here.
“If the brokers are indeed the same actors who deployed the ransomware, this could signal a new trend, creating additional hijacking options without relying on traditional Ransomware-as-a-Service (RaaS) groups,” Kaspersky researcher Cristian Souza stated.
The assault is notable for putting in instruments like Superior IP Scanner and Course of Hacker. Additionally utilized are two scripts which might be a part of the SystemBC malware, which permit for organising a covert channel to a distant IP handle for exfiltrating information which have a measurement better than 40 KB and are created after a specified date.
The ransomware binary, for its half, makes use of the stream cipher ChaCha20 algorithm to encrypt information, appending the extension “.6C5oy2dVr6” to every encrypted file.
“Ymir is flexible: by using the –path command, attackers can specify a directory where the ransomware should search for files,” Kaspersky stated. “If a file is on the whitelist, the ransomware will skip it and leave it unencrypted. This feature gives attackers more control over what is or isn’t encrypted.”
The event comes because the attackers behind the Black Basta ransomware have been noticed utilizing Microsoft Groups chat messages to have interaction with potential targets and incorporating malicious QR codes to facilitate preliminary entry by redirecting them to a fraudulent area.
“The underlying motivation is likely to lay the groundwork for follow-up social engineering techniques, convince users to download remote monitoring and management (RMM) tools, and gain initial access to the targeted environment,” ReliaQuest stated. “Ultimately, the attackers’ end goal in these incidents is almost certainly the deployment of ransomware.”
The cybersecurity firm stated it additionally recognized cases the place the menace actors tried to trick customers by masquerading as IT help personnel and tricking them into utilizing Fast Help to realize distant entry, a way that Microsoft warned about in Might 2024.
As a part of the vishing assault, the menace actors instruct the sufferer to put in distant desktop software program equivalent to AnyDesk or launch Fast Help as a way to receive distant entry to the system.
It is value mentioning right here {that a} earlier iteration of the assault employed malspam techniques, inundating workers’ inboxes with 1000’s of emails after which calling up the worker by posing as the corporate’s IT assist desk to purportedly assist clear up the problem.
Ransomware assaults involving Akira and Fog households have additionally benefited from techniques working SonicWall SSL VPNs which might be unpatched towards CVE-2024-40766 to breach sufferer networks. As many as 30 new intrusions leveraging this tactic have been detected between August and mid-October 2024, per Arctic Wolf.
These occasions mirror the continued evolution of ransomware and the persistent menace it poses to organizations worldwide, whilst legislation enforcement efforts to disrupt the cybercrime teams have led to additional fragmentation.
Final month, Secureworks, which is about to be acquired by Sophos early subsequent 12 months, revealed that the variety of lively ransomware teams has witnessed a 30% year-over-year improve, pushed by the emergence of 31 new teams within the ecosystem.
“Despite this growth in ransomware groups, victim numbers did not rise at the same pace, showing a significantly more fragmented landscape posing the question of how successful these new groups might be,” the cybersecurity agency stated.
Information shared by NCC Group exhibits {that a} complete of 407 ransomware instances have been recorded in September 2024, down from 450 in August, a ten% drop month-over-month. In distinction, 514 ransomware assaults have been registered in September 2023. A few of the main sectors focused in the course of the time interval embrace industrial, shopper discretionary, and data know-how.
That is not all. In latest months, using ransomware has prolonged to politically motivated hacktivist teams like CyberVolk, which have wielded “ransomware as a tool for retaliation.”
U.S. officers, in the intervening time, are looking for new methods to counter ransomware, together with urging cyber insurance coverage corporations to cease reimbursements for ransom funds in an try to dissuade victims from paying up within the first place.
“Some insurance company policies — for example covering reimbursement of ransomware payments — incentivise payment of ransoms that fuel cyber crime ecosystems,” Anne Neuberger, U.S. Deputy Nationwide Safety Adviser for Cyber and Rising Know-how, wrote in a Monetary Instances opinion piece. “This is a troubling practice that must end.”
