Kaspersky’s Global Emergency Response Team has identified a previously unseen ransomware strain in active use, deployed in an attack following the theft of employee credentials. The ransomware, dubbed “Ymir”, employs advanced stealth and encryption methods. It also selectively targets files and attempts to evade detection.
Ymir ransomware introduces a unique combination of technical features and tactics that enhance its effectiveness.
Uncommon memory manipulation techniques for stealth. Threat actors leveraged an unconventional blend of memory management functions – malloc, memmove, and memcmp – to execute malicious code directly in the memory. This approach deviates from the typical sequential execution flow seen in widespread ransomware types, enhancing its stealth capabilities. Furthermore, Ymir is flexible: by using the –path command, attackers can specify a directory where the ransomware should search for files. If a file is on the whitelist, the ransomware will skip it and leave it unencrypted. This feature gives attackers more control over what is or isn’t encrypted.
Use of data-stealing malware. In the attack observed by Kaspersky experts, which took place on an organization in Colombia, threat actors used RustyStealer, a type of malware that steals information, to obtain corporate credentials from employees. These were then utilized to gain access to the organization’s systems and maintain control long enough to deploy ransomware. This type of attack is known as initial access brokerage, where attackers infiltrate systems and sustain access. Typically, initial access brokers sell the access they gain on the dark web to other cybercriminals, but in this case, they appear to have continued the attack themselves by deploying ransomware. “If the brokers are indeed the same actors who deployed the ransomware, this could signal a new trend, creating additional hijacking options without relying on traditional Ransomware-as-a-Service (RaaS) groups,” explains Cristian Souza, Incident Response Specialist at Kaspersky Global Emergency Response Team.
Advanced encryption algorithm. The ransomware employs ChaCha20, a modern stream cipher known for its speed and security, even outperforming Advanced Encryption Standard (AES).
Although the threat actor behind this attack has not shared any stolen data publicly or made further demands, researchers are closely monitoring it for any new activity. “We haven’t observed any new ransomware groups emerging in the underground market yet. Typically, attackers use shadow forums or portals to leak information as a way to pressure victims into paying the ransom, which is not the case with Ymir. Given this, the question of which group is behind the ransomware remains open, and we suspect this may be a new campaign,” elaborates Cristian Souza.
Looking for a name for the new threat, Kaspersky experts considered a Saturnian moon called Ymir. It is an “irregular” moon that travels in the opposite direction of the planet’s rotation – a trait that intriguingly resembles the unconventional blend of memory management functions used in the new ransomware.
