Cybersecurity researchers have uncovered a new ransomware strain, Ymir, which surfaced in an attack just two days after systems were breached by RustyStealer, a malware designed to steal credentials.
According to Kaspersky, a Russian cybersecurity firm, "Ymir ransomware introduces a distinct blend of technical features and tactics to enhance its effectiveness." The ransomware uses unconventional memory functions—malloc, memmove, and memcmp—to execute malicious code directly in memory, bypassing the usual sequential execution path seen in other ransomware. This unique approach allows it to evade detection more effectively.
In a recent incident, Kaspersky observed Ymir ransomware targeting an organization in Colombia. Threat actors initially deployed RustyStealer to collect corporate credentials, which were likely used for unauthorized access to the network and the subsequent deployment of Ymir ransomware. Unlike typical ransomware incidents involving an initial access broker, the attackers in this case may have managed the entire operation independently, potentially indicating a shift away from traditional Ransomware-as-a-Service (RaaS) models.
The attack featured tools such as Advanced IP Scanner and Process Hacker, alongside two scripts from the SystemBC malware, enabling covert data exfiltration from the compromised network. Ymir ransomware uses the ChaCha20 cipher to encrypt files, appending the extension ".6C5oy2dVr6" to affected files. A flexible feature allows attackers to specify directories to target while leaving specific files untouched through a whitelist, giving them granular control over what is encrypted.
Meanwhile, other ransomware groups like Black Basta have adopted novel tactics to gain initial access, such as using Microsoft Teams chats and malicious QR codes. Once initial access is gained, the attackers often employ social engineering, persuading users to download remote management tools like AnyDesk or Quick Assist to enable remote control.
In addition to these tactics, recent ransomware campaigns involving Akira and Fog have targeted unpatched SonicWall SSL VPNs, exploiting CVE-2024-40766. Arctic Wolf reports that at least 30 incidents were identified between August and mid-October 2024, showcasing how vulnerabilities in widely used systems can lead to network breaches.
The ransomware threat landscape continues to evolve, with Secureworks noting a 30% rise in active ransomware groups, driven by the emergence of 31 new actors. Despite this increase, victim numbers have not grown at the same pace, suggesting a more fragmented and competitive cybercriminal environment.
Data from NCC Group shows a slight decline in ransomware cases in recent months, with 407 incidents recorded in September 2024 compared to 450 in August. Targeted sectors have included industrial, consumer discretionary, and information technology.
Notably, ransomware has also been co-opted by hacktivist groups like CyberVolk, who use it as a form of political retaliation. In response, U.S. officials are exploring ways to curb ransomware attacks, including potentially eliminating cyber insurance reimbursements for ransom payments. U.S. Deputy National Security Adviser Anne Neuberger emphasized that such reimbursements incentivize ransom payments, fueling the ransomware ecosystem.
These developments highlight the persistent risks ransomware poses to organizations globally and underscore the critical need for proactive cybersecurity measures.