Cybersecurity researchers have identified a new ransomware family called Ymir that was deployed in an attack two days after systems were compromised by a malware called RustyStealer.
“Ymir ransomware presents a unique combination of technical features and tactics that increase its effectiveness,” Russian cybersecurity vendor Kaspersky said.
“Threat actors used an unconventional combination of memory management functions – malloc, memmove and memcmp – to execute malicious code directly in memory. This approach deviates from the typical sequential execution seen in widespread types of ransomware, improving its stealth capabilities.”
Kaspersky said it discovered the ransomware used in a cyberattack targeting an unnamed organization in Colombia, with the threat actors previously delivering RustyStealer malware to harvest corporate credentials.
It is believed that stolen credentials were used to gain unauthorized access to the company’s network for the purpose of deploying ransomware. While there is usually a handoff between the initial access broker and the ransomware team, it is not clear if this is the case here.
“If the brokers are indeed the same actors that deployed the ransomware, this could signal a new trend, creating additional hijacking options independent of traditional ransomware-as-a-service (RaaS) groups,” said Kaspersky researcher Christian Souza .
The attack is characterized by the installation of tools such as Advanced IP Scanner and Process Hacker. Also used are two scripts that are part of the SystemBC malware and allow a backdoor to be set up to a remote IP address to steal files larger than 40KB created after a specified date.
The ransomware binary, on the other hand, uses the ChaCha20 streaming cipher algorithm to encrypt files, appending the “.6C5oy2dVr6” extension to each encrypted file.
“Ymir is flexible: with the –path command, attackers can specify the directory in which the ransomware should search for files,” Kaspersky said. “If the file is whitelisted, the ransomware will skip it and leave it unencrypted. This feature gives attackers more control over what is encrypted and what is not.”
This comes after the attackers behind the Black Basta ransomware were seen using Microsoft Teams chat messages to engage with potential targets and including malicious QR codes to facilitate initial access by redirecting them to a fraudulent domain.
In a vishing attack, threat actors instruct the victim to install remote desktop software such as AnyDesk or run Quick Assist to gain remote access to the system.
“The primary motivation is likely to lay the groundwork for subsequent social engineering techniques, convince users to download remote monitoring and management (RMM) tools, and gain initial access to the target environment,” ReliaQuest said. “Ultimately, the ultimate goal of the attackers in these incidents is almost certainly to deploy ransomware.”
The cybersecurity company said it also found cases where threat actors tried to trick users by impersonating IT support staff and tricking them into using Quick Assist to gain remote access, a method used by Microsoft warned around May 2024.
It should be noted here that a previous iteration Part of the attack used spam tactics, flooding employee mailboxes with thousands of emails and then calling the employee pretending to be the company’s IT support team to allegedly help resolve the issue.
Ransomware attacks involving the Akira and Fog families also benefited from systems running SonicWall SSL VPN that are not patched against CVE-2024-40766 to hack the victim’s networks. In the period from August to mid-October 2024. about 30 new intrusions using this tactic were discovered. Arctic wolf.
These events reflect continued evolution ransomware and a constant threat it represents for organizations around the world, even as efforts of law enforcement agencies disrupt cybercriminal groups have led to further fragmentation.
Last month, Secureworks, which is due to be acquired by Sophos early next year, revealed that the number of active ransomware groups had increased by 30% compared to last year, thanks to the introduction of 31 new groups into the ecosystem.
“Despite the rise in the number of ransomware groups, the number of victims has not grown at the same rate, demonstrating a much more fragmented landscape that raises the question of how successful these new groups can be,” the cybersecurity firm said. said.
Data shared by NCC Group shows that in September 2024, 407 cases of ransomware were reported, down from 450 in August, down 10% from the previous month. On the contrary, in September 2023. 514 ransomware attacks were reported. Some of the main sectors targeted during this period include industrials, consumer discretionary and information technology.
That’s not all. In recent months, the use of ransomware has spread to politically motivated hacker groups such as CyberVolkwhich used “ransomware as a retribution tool”.
U.S. officials, meanwhile, are looking for new ways to fight ransomware, including urging cyber insurance companies to stop paying ransoms in an attempt dissuade the victims from paying the ransom.
“Some insurance company policies — such as those covering ransomware reimbursements — encourage ransom payments that support cybercrime ecosystems,” Ann Neuberger, US deputy national security adviser for cyber and emerging technologies. wrote in a Financial Times article. “This is a disturbing practice that needs to end.”