November 23, 2024
New Ymir Ransomware Exploits Memory for Stealthy Attacks; Targets Corporate Networks
Cybersecurity researchers have flagged a new ransomware family called Ymir that was deployed in an attack two days after systems were compromised by a stealer malware called RustyStealer. "Ymir ransomware introduces a unique combination of technical features and tactics that enhance its effectiveness," Russian cybersecurity vendor Kaspersky said. "Threat actors leveraged an unconventional blend

Cybersecurity researchers have flagged a new ransomware family called Ymir that was deployed in an attack two days after systems were compromised by a stealer malware called RustyStealer.

“Ymir ransomware introduces a unique combination of technical features and tactics that enhance its effectiveness,” Russian cybersecurity vendor Kaspersky said.

“Threat actors leveraged an unconventional blend of memory management functions – malloc, memmove, and memcmp – to execute malicious code directly in the memory. This approach deviates from the typical sequential execution flow seen in widespread ransomware types, enhancing its stealth capabilities.”

Kaspersky said it observed the ransomware used in a cyber attack targeting an unnamed organization in Colombia, with the threat actors previously delivering the RustyStealer malware to gather corporate credentials.

It’s believed that the stolen credentials were used to gain unauthorized access to the company’s network in order to deploy the ransomware. While there typically exists a hand-off between an initial access broker and the ransomware crew, it’s not clear if that’s the case here.

“If the brokers are indeed the same actors who deployed the ransomware, this could signal a new trend, creating additional hijacking options without relying on traditional Ransomware-as-a-Service (RaaS) groups,” Kaspersky researcher Cristian Souza said.

The attack is notable for installing tools like Advanced IP Scanner and Process Hacker. Also utilized are two scripts that are part of the SystemBC malware, which allow for setting up a covert channel to a remote IP address for exfiltrating files that have a size greater than 40 KB and are created after a specified date.

The ransomware binary, for its part, uses the stream cipher ChaCha20 algorithm to encrypt files, appending the extension “.6C5oy2dVr6” to each encrypted file.

“Ymir is flexible: by using the –path command, attackers can specify a directory where the ransomware should search for files,” Kaspersky said. “If a file is on the whitelist, the ransomware will skip it and leave it unencrypted. This feature gives attackers more control over what is or isn’t encrypted.”

The development comes as the attackers behind the Black Basta ransomware have been spotted using Microsoft Teams chat messages to engage with prospective targets and incorporating malicious QR codes to facilitate initial access by redirecting them to a fraudulent domain.

“The underlying motivation is likely to lay the groundwork for follow-up social engineering techniques, convince users to download remote monitoring and management (RMM) tools, and gain initial access to the targeted environment,” ReliaQuest said. “Ultimately, the attackers’ end goal in these incidents is almost certainly the deployment of ransomware.”

The cybersecurity company said it also identified instances where the threat actors attempted to trick users by masquerading as IT support personnel and tricking them into using Quick Assist to gain remote access, a technique that Microsoft warned about in May 2024.

As part of the vishing attack, the threat actors instruct the victim to install remote desktop software such as AnyDesk or launch Quick Assist in order to obtain remote access to the system.

It’s worth mentioning here that a previous iteration of the attack employed malspam tactics, inundating employees’ inboxes with thousands of emails and then calling up the employee by posing as the company’s IT help desk to purportedly help solve the issue.

Ransomware attacks involving Akira and Fog families have also benefited from systems running SonicWall SSL VPNs that are unpatched against CVE-2024-40766 to breach victim networks. As many as 30 new intrusions leveraging this tactic have been detected between August and mid-October 2024, per Arctic Wolf.

These events reflect the continued evolution of ransomware and the persistent threat it poses to organizations worldwide, even as law enforcement efforts to disrupt the cybercrime groups have led to further fragmentation.

Last month, Secureworks, which is set to be acquired by Sophos early next year, revealed that the number of active ransomware groups has witnessed a 30% year-over-year increase, driven by the emergence of 31 new groups in the ecosystem.

“Despite this growth in ransomware groups, victim numbers did not rise at the same pace, showing a significantly more fragmented landscape posing the question of how successful these new groups might be,” the cybersecurity firm said.

Data shared by NCC Group shows that a total of 407 ransomware cases were recorded in September 2024, down from 450 in August, a 10% drop month-over-month. In contrast, 514 ransomware attacks were registered in September 2023. Some of the major sectors targeted during the time period include industrial, consumer discretionary, and information technology.

That’s not all. In recent months, the use of ransomware has extended to politically motivated hacktivist groups like CyberVolk, which have wielded “ransomware as a tool for retaliation.”

U.S. officials, in the meanwhile, are seeking new ways to counter ransomware, including urging cyber insurance companies to stop reimbursements for ransom payments in an attempt to dissuade victims from paying up in the first place.

“Some insurance company policies — for example covering reimbursement of ransomware payments — incentivise payment of ransoms that fuel cyber crime ecosystems,” Anne Neuberger, U.S. Deputy National Security Adviser for Cyber and Emerging Technology, wrote in a Financial Times opinion piece. “This is a troubling practice that must end.”

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.