Kaspersky’s Global Emergency Response Team has identified a previously unseen ransomware strain in active use, deployed in an attack following the theft of employee credentials. The ransomware, dubbed “Ymir”, employs advanced stealth and encryption methods. It also selectively targets files and attempts to evade detection.
Ymir ransomware introduces a unique combination of technical features and tactics that enhance its effectiveness.
Uncommon memory manipulation techniques for stealth. Threat actors leveraged an unconventional blend of memory management functions – malloc, memmove, and memcmp – to execute malicious code directly in the memory. This approach deviates from the typical sequential execution flow seen in widespread ransomware types, enhancing its stealth capabilities. Furthermore, Ymir is flexible: by using the –path command, attackers can specify a directory where the ransomware should search for files. If a file is on the whitelist, the ransomware will skip it and leave it unencrypted. This feature gives attackers more control over what is or isn’t encrypted.
Use of data-stealing malware. In the attack observed by Kaspersky experts, which took place on an organization in Colombia, threat actors were observed using RustyStealer, a type of malware that steals information, to obtain corporate credentials from employees. These were then utilized to gain access to the organization’s systems and maintain control long enough to deploy ransomware. This type of attack is known as initial access brokerage, where attackers infiltrate systems and sustain access. Typically, initial access brokers sell the access they gain on the dark web to other cybercriminals, but in this case, they appear to have continued the attack themselves by deploying ransomware. “If the brokers are indeed the same actors who deployed the ransomware, this could signal a new trend, creating additional hijacking options without relying on traditional Ransomware-as-a-Service (RaaS) groups,” explains Cristian Souza, Incident Response Specialist at Kaspersky Global Emergency Response Team.
Ymir’s ransom note
Advanced encryption algorithm. The ransomware employs ChaCha20, a modern stream cipher known for its speed and security, even outperforming Advanced Encryption Standard (AES).
Although the threat actor behind this attack has not shared any stolen data publicly or made further demands, researchers are closely monitoring it for any new activity. “We haven’t observed any new ransomware groups emerging in the underground market yet. Typically, attackers use shadow forums or portals to leak information as a way to pressure victims into paying the ransom, which is not the case with Ymir. Given this, the question of which group is behind the ransomware remains open, and we suspect this may be a new campaign,” elaborates Cristian Souza.
Looking for a name for the new threat, Kaspersky experts considered a Saturnian moon called Ymir. It is an “irregular” moon that travels in the opposite direction of the planet’s rotation – a trait that intriguingly resembles the unconventional blend of memory management functions used in the new ransomware.
The detailed analysis is presented on Securelist.
Kaspersky products can now detect this ransomware as Trojan-Ransom.Win64.Ymir.gen. The company’s experts recommend the following general measures to mitigate ransomware attacks:
- Implement a frequent backup schedule and conduct regular testing.
- Provide employees with regular cybersecurity training to increase their awareness of cyber threats like data-stealing malware, and to teach effective mitigation strategies.
- If you’ve fallen victim to ransomware and there is no known decryptor yet, save your critical encrypted files. A decryption solution may emerge within an ongoing threat research effort or if the authorities manage to seize control of the actor behind the threat.
- It is recommended not to pay the ransom. Paying encourages malware creators to continue their operations, but it doesn’t ensure the safe and reliable return of files.
- To protect the company against a wide range of threats, use solutions from the Kaspersky Next product line that provide real-time protection, threat visibility, investigation and the response capabilities of EDR and XDR for organizations of any size and industry. Depending on your current needs and available resources, you can choose the most relevant product tier, with the flexibility to easily migrate to another one as your cybersecurity requirements evolve. Reduce your attack surface by disabling unused services and ports.
- Adopt managed security services by Kaspersky such as Compromise Assessment, Managed Detection and Response (MDR) and/or Incident Response, covering the entire incident management cycle—from threat identification to continuous protection and remediation. They help protect against evasive cyberattacks, investigate incidents and get additional expertise even if a company lacks security workers.
The Kaspersky Security ServicesDelivering hundreds of information security projects every year for Fortune 500 organizations worldwide: incident response, managed detection, SOC consulting, red teaming, penetration testing, application security, digital risks protection. The Global Emergency Response Team is a part of Security Services, which handles hundreds of incidents annually, building a clear picture of attacks and sharing response recommendations.