New Ymir Ransomware Targets Corporate Networks and Uses Memory for Covert Attacks

0
34
New Ymir Ransomware Targets Corporate Networks and Uses Memory for Covert Attacks
New Ymir Ransomware Targets Corporate Networks and Uses Memory for Covert Attacks

Two days after systems were infiltrated by stealer malware known as RustyStealer, a new ransomware family known as Ymir was used in an attack, according to cybersecurity analysts.

“Ymir ransomware introduces a unique combination of technical features and tactics that enhance its effectiveness,” Russian cybersecurity vendor Kaspersky said.

“Threat actors leveraged an unconventional blend of memory management functions—malloc, memmove, and memcmp—to execute malicious code directly in the memory. This approach deviates from the typical sequential execution flow seen in widespread ransomware types, enhancing its stealth capabilities.”

According to Kaspersky, the ransomware was employed in a cyberattack against an unidentified Colombian firm. The threat actors had previously used the RustyStealer malware to obtain corporate credentials.

It is thought that the ransomware was installed via gaining illegal access to the company’s network using the credentials that were stolen. Although a handoff between an initial access broker and the ransomware team is common, it’s unclear if this is the case in this instance.

“If the brokers are indeed the same actors who deployed the ransomware, this could signal a new trend, creating additional hijacking options without relying on traditional ransomware-as-a-service (RaaS) groups,” Kaspersky researcher Cristian Souza said.

The installation of programs like Process Hacker and Advanced IP Scanner is what makes the attack noteworthy. Two scripts included in the SystemBC virus are also used; they enable the establishment of a secret channel to a distant IP address for the purpose of exfiltrating files larger than 40 KB and created after a given date.

On the other hand, the ransomware program encrypts files using the stream cipher ChaCha20 algorithm and adds the extension “.6C5oy2dVr6” to each encrypted file.

“Ymir is flexible: by using the –path command, attackers can specify a directory where the ransomware should search for files,” Kaspersky said. “If a file is on the whitelist, the ransomware will skip it and leave it unencrypted. This feature gives attackers more control over what is or isn’t encrypted.”

This comes as the hackers responsible for the Black Basta ransomware have been observed interacting with potential victims using Microsoft Teams chat messages and utilizing malicious QR codes to get initial access by rerouting them to a phony domain.

“The underlying motivation is likely to lay the groundwork for follow-up social engineering techniques, convince users to download remote monitoring and management (RMM) tools, and gain initial access to the targeted environment,” ReliaQuest said. “Ultimately, the attackers’ end goal in these incidents is almost certainly the deployment of ransomware.”

According to the cybersecurity firm, it also found cases in which threat actors tried to fool customers by posing as IT support staff and misleading them into using Quick Assist to obtain remote access—a tactic Microsoft forewarned of in May 2024.

In order to gain remote access to the machine, the threat actors in a vishing attack tell the victim to install remote desktop software like AnyDesk or start Quick Assist.

It’s important to note that a prior version of the attack used spam techniques, flooding employees’ inboxes with thousands of emails before phoning the employee and claiming to be the company’s IT help desk in an attempt to assist with the problem.

Unpatched SonicWall SSL VPNs against CVE-2024-40766 have also been used to breach target networks in ransomware operations involving the Akira and Fog families. According to Arctic Wolf, up to 30 additional intrusions using this technique were discovered between August and mid-October 2024.

These incidents demonstrate how ransomware is still evolving and how dangerous it is to businesses all over the world, despite the fact that efforts by law enforcement to dismantle the criminal organizations have further fragmented the market.

The number of active ransomware groups has increased by 30% year over year, according to a report released last month by Secureworks, which is scheduled to be bought by Sophos early next year. This growth is mostly due to the introduction of 31 new groups into the ecosystem.

“Despite this growth in ransomware groups, victim numbers did not rise at the same pace, showing a significantly more fragmented landscape, posing the question of how successful these new groups might be,” the cybersecurity firm said.

According to data released by NCC Group, there were 407 ransomware occurrences in September 2024, compared to 450 in August—a 10% decrease from the previous month. In September 2023, on the other hand, 514 ransomware incidents were reported. Information technology, consumer discretionary, and industry were some of the main areas targeted during that time.

But that’s not all. Ransomware has been used by politically driven hacktivist organizations like CyberVolk in recent months, who have used “ransomware as a tool for retaliation.”

Meanwhile, in an effort to discourage victims from paying up in the first place, U.S. officials are looking for new measures to combat ransomware, such as pressuring cyber insurance providers to halt reimbursements for ransom payments.

“Some insurance company policies—for example, covering reimbursement of ransomware payments—incentivize payment of ransoms that fuel cyber crime ecosystems,” Anne Neuberger, U.S. Deputy National Security Adviser for Cyber and Emerging Technology, wrote in a Financial Times opinion piece. “This is a troubling practice that must end.”

Also readViksit Workforce for a Viksit Bharat

Do FollowCIO News LinkedIn Account | CIO News Facebook | CIO News Youtube | CIO News Twitter 

About us:

CIO News is the premier platform dedicated to delivering the latest news, updates, and insights from the CIO industry. As a trusted source in the technology and IT sector, we provide a comprehensive resource for executives and professionals seeking to stay informed and ahead of the curve. With a focus on cutting-edge developments and trends, CIO News serves as your go-to destination for staying abreast of the rapidly evolving landscape of technology and IT. Founded in June 2020, CIO News has rapidly evolved with ambitious growth plans to expand globally, targeting markets in the Middle East & Africa, ASEAN, USA, and the UK.