New Ymir ransomware partners with RustyStealer in attacks

A new ransomware family called ‘Ymir’ has been spotted in the wild, encrypting systems that were previously compromised by the RustyStealer infostealer malware.

RustyStealer is a known malware family first documented in 2021, but its appearance with ransomware demonstrates another example of the recent trend of cybercrime operations working together.

According to Kaspersky researchers who discovered Ymir during an incident response, the novel ransomware strain is notable for its in-memory execution, use of the African Lingala language in a code comment, use of PDF files as ransom notes, and its extension configuration options.

Although Kaspersky has found evidence that Ymir connects to external servers that might facilitate data exfiltration, the ransomware does not feature such a capability.

GeekFeed has confirmed that the ransomware operation launchedin July 2024, when it started attacking companies worldwide.

Ymir follows RustyStealer infections

Kaspersky’s analysis revealed that Rusty stealer had infiltrated multiple systems within the targeted infrastructure two days before Ymir’s deployment.

RustyStealer, essentially a credential-harvesting tool, enabled attackers to gain unauthorized access to systems by compromising legitimate high-privilege accounts useful in lateral movement.

Lateral movement across the network was facilitated using tools like Windows Remote Management (WinRM) and PowerShell for remote control. At the same time, the attackers also installed tools like Process Hacker and Advanced IP Scanner.

Next, they executed scripts associated with the SystemBC malware and established covert channels, possibly for data exfiltration or command execution, with the attackers’ infrastructure.

After solidifying the foothold and possibly also stealing data using RustyStealer, Ymir ransomware was dropped as the final payload.

Ymir is a novel Windows ransomware strain that operates entirely from memory, leveraging functions like ‘malloc,’ ‘memove,’ and ‘memcmp,’ to evade detection.

Upon launch, it performs system reconnaissance by getting the system date and time, identifying running processes, and checking the system uptime, which can help determine whether it runs on a sandbox.

Next, it skips file extensions based on a hardcoded list to avoid rendering the system unbootable.

Ymir uses the ChaCha20 stream cipher, an advanced and fast encryption algorithm, to encrypt files on the victim’s system.

Encrypted files are appended with a random extension, like “.6C5oy2dVr6,” and a ransom note named “INCIDENT_REPORT.pdf” is generated from the “.data” section of the Ymir binary in all directories containing encrypted files.

The ransomware will also modify the Windows Registry “legalnoticecaption” value to show an extortion demand before a user logs in to an encrypted device.

The ransom note claims that data was stolen from the victim’s system, and Kaspersky hypothesizes that this might have occurred using tools deployed prior to Ymir.

Finally, Ymir scans the system for the presence of PowerShell and leverages it to delete its executable to evade identification and analysis.

Ymir has not established a data leak site yet, but it could be that the threat actors have just started accumulating victim data.

Kaspersky warns that Ymir’s use of information stealers as access brokers could quickly make this new ransomware family a widespread threat.