Man
Professional
- Messages
- 3,087
- Reaction score
- 627
- Points
- 113
Companies lose control of their systems in just a few minutes.
A recent investigation by Kaspersky Lab revealed a new family of Ymir ransomware that is actively used by cybercriminals. This malware uses advanced detection evasion techniques by performing in-memory operations using functions such as malloc and memmove.
In the attack chain reviewed by experts, the attackers penetrated the victim's system via PowerShell, installed the Process Hacker and Advanced IP Scanner utilities, and then launched the Ymir ransomware. The malware encrypts files using the ChaCha20 algorithm by appending the '.6C5oy2dVr6' extension and dropping the PDFs with a ransom demand.
Static analysis showed that Ymir uses the CryptAcquireContext and CryptGenRandom functions for cryptographic operations. The malware also includes commands for automatic removal via PowerShell. In addition, critical libraries are loaded into memory, making it very difficult to detect.
During the dynamic analysis, it turned out that Ymir actively uses the memmove function to enumerate and encrypt files. And using the MinGW compiler indicates experienced developers who are familiar with Windows.
Interestingly, the Ymir ransomware does not have built-in network capabilities for exfiltrating data, although the ransom message indicates that it has been stolen. This suggests that the attackers pre-uploaded the data in another way, such as via FTP or cloud services. Or simply bluffed.
During the investigation of Ymir, Kaspersky Lab experts discovered its connection with another malicious program, RustyStealer, which was used to collect data and provide access to compromised systems. RustyStealer used PowerShell scripts to create hidden communication channels, which allowed the attackers to move around the infected infrastructure undetected.
Thanks to the YARA rule, created on the basis of Ymir's analysis, it was possible to identify a similar sample in Pakistan. This suggests that the attackers are actively testing their developments on vulnerable systems, hiding their location through VPN and Tor.
Among the data discovered was also a commentary in the Lingala language used in Africa, which may indicate the possible origin of the malware developers. However, there is no exact data on the group behind the attacks.
Experts warn that the new ransomware poses a serious threat to companies, especially if they do not have comprehensive response measures. Detecting this threat is difficult due to its ability to hide and quickly destroy traces of its presence in the system.
Source
A recent investigation by Kaspersky Lab revealed a new family of Ymir ransomware that is actively used by cybercriminals. This malware uses advanced detection evasion techniques by performing in-memory operations using functions such as malloc and memmove.
In the attack chain reviewed by experts, the attackers penetrated the victim's system via PowerShell, installed the Process Hacker and Advanced IP Scanner utilities, and then launched the Ymir ransomware. The malware encrypts files using the ChaCha20 algorithm by appending the '.6C5oy2dVr6' extension and dropping the PDFs with a ransom demand.
Static analysis showed that Ymir uses the CryptAcquireContext and CryptGenRandom functions for cryptographic operations. The malware also includes commands for automatic removal via PowerShell. In addition, critical libraries are loaded into memory, making it very difficult to detect.
During the dynamic analysis, it turned out that Ymir actively uses the memmove function to enumerate and encrypt files. And using the MinGW compiler indicates experienced developers who are familiar with Windows.
Interestingly, the Ymir ransomware does not have built-in network capabilities for exfiltrating data, although the ransom message indicates that it has been stolen. This suggests that the attackers pre-uploaded the data in another way, such as via FTP or cloud services. Or simply bluffed.
During the investigation of Ymir, Kaspersky Lab experts discovered its connection with another malicious program, RustyStealer, which was used to collect data and provide access to compromised systems. RustyStealer used PowerShell scripts to create hidden communication channels, which allowed the attackers to move around the infected infrastructure undetected.
Thanks to the YARA rule, created on the basis of Ymir's analysis, it was possible to identify a similar sample in Pakistan. This suggests that the attackers are actively testing their developments on vulnerable systems, hiding their location through VPN and Tor.
Among the data discovered was also a commentary in the Lingala language used in Africa, which may indicate the possible origin of the malware developers. However, there is no exact data on the group behind the attacks.
Experts warn that the new ransomware poses a serious threat to companies, especially if they do not have comprehensive response measures. Detecting this threat is difficult due to its ability to hide and quickly destroy traces of its presence in the system.
Source
