A novel ransomware strain named Ymir has emerged, encrypting systems previously compromised by the RustyStealer malware. RustyStealer, a credential-harvesting tool initially documented in 2021, is now being used to facilitate ransomware deployment, reflecting an increasing trend of collaboration among cybercriminal operations. Kaspersky researchers discovered Ymir during an incident response, noting its distinctive features, including in-memory execution, the use of Lingala (an African language) in code comments, ransom notes formatted as PDFs, and a unique extension configuration. Although Ymir connects to external servers, potentially signaling data exfiltration capabilities, no such functionality has been confirmed.
The ransomware follows RustyStealer infections, leveraging its credential-theft capabilities to gain unauthorized access to systems. Attackers use legitimate high-privilege accounts for lateral movement within networks, employing tools like Windows Remote Management (WinRM) and PowerShell. After deploying additional tools such as Process Hacker and Advanced IP Scanner, and establishing covert channels via SystemBC malware, Ymir is delivered as the final payload. Operating entirely from memory, it employs advanced techniques, including ChaCha20 encryption, system reconnaissance, and registry modifications, to maximize its impact while evading detection. Despite the absence of a data leak site, Kaspersky warns that Ymir's reliance on RustyStealer as an access broker could make it a significant threat in the cybersecurity landscape.
Ymir Ransomware Signatures
Family: Trojan:PowerShell/SystemBC.CF!MTB
MD5: 4176233617a9d682e17e8cf97d8925b1
SHA256: b087e1309f3eab6302d7503079af1ad6af06d70a932f7a6ae1421b942048e28a
Ymir Ransomware Download
