New Ymir Ransomware Utilizes Memory for Stealthy Attacks; Targets Corporate Networks

November 12, 2024

Cybersecurity researchers have identified a new ransomware family, Ymir, that was used in an attack just two days after systems were compromised by RustyStealer, a stealer malware. According to Russian cybersecurity vendor Kaspersky, Ymir ransomware employs a unique blend of technical features and tactics, which enhance its effectiveness. The threat actors utilized a novel combination of memory management functions – malloc, memmove, and memcmp – to execute malicious code directly in the memory. This method deviates from the usual sequential execution flow seen in common ransomware types, thus enhancing its stealth capabilities.

Kaspersky observed the ransomware being used in a cyber attack on an unnamed organization in Colombia. The threat actors had previously delivered the RustyStealer malware to collect corporate credentials. It's believed that these stolen credentials were used to gain unauthorized access to the company's network to deploy the ransomware. The connection between the initial access broker and the ransomware crew was not clear. Kaspersky researcher Cristian Souza noted, "If the brokers are indeed the same actors who deployed the ransomware, this could signal a new trend, creating additional hijacking options without relying on traditional Ransomware-as-a-Service (RaaS) groups."

The attack is noteworthy for installing tools like Advanced IP Scanner and Process Hacker. Also utilized are two scripts that are part of the SystemBC malware and allow for setting up a covert channel to a remote IP address for exfiltrating files with a size greater than 40 KB that were created after a specified date. The ransomware binary uses the stream cipher ChaCha20 algorithm to encrypt files, appending the extension ".6C5oy2dVr6" to each encrypted file. According to Kaspersky, "Ymir is flexible: by using the --path command, attackers can specify a directory where the ransomware should search for files. If a file is on the whitelist, the ransomware will skip it and leave it unencrypted. This feature gives attackers more control over what is or isn't encrypted."

The Black Basta ransomware attackers have been seen using Microsoft Teams chat messages to interact with potential targets and incorporating malicious QR codes to facilitate initial access by redirecting them to a fraudulent domain. The threat actors instruct the victim to install remote desktop software such as AnyDesk or launch Quick Assist in order to obtain remote access to the system. According to cybersecurity company ReliaQuest, "The underlying motivation is likely to lay the groundwork for follow-up social engineering techniques, convince users to download remote monitoring and management (RMM) tools, and gain initial access to the targeted environment. Ultimately, the attackers' end goal in these incidents is almost certainly the deployment of ransomware."

Ransomware attacks involving Akira and Fog families have also benefited from systems running SonicWall SSL VPNs that are unpatched against CVE-2024-40766 to breach victim networks. Arctic Wolf detected as many as 30 new intrusions leveraging this tactic between August and mid-October 2024. These developments reflect the ongoing evolution of ransomware and the persistent threat it poses to organizations around the world, even as law enforcement efforts to disrupt cybercrime groups have led to further fragmentation. According to Secureworks, the number of active ransomware groups has witnessed a 30% year-over-year increase, driven by the emergence of 31 new groups in the ecosystem.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.