The Kaspersky Global Emergency Response Team has discovered a new ransomware called “Ymir” in circulation. This ransomware infiltrates corporate systems by stealing employee credentials and encrypting user data. According to the company’s statement, Ymir’s advanced technical features and flexible structure enable attackers to use ransomware to remain hidden in target systems for longer periods of time.
Technical features and working principle of Ymir Ransomware
Ymir executes malicious code in memory using unorthodox memory management functions (‘malloc’, ‘memmove’, ‘memcmp’). In this way, it provides greater privacy by deviating from the usual execution order of common ransomware. Additionally, which directories the ransomware targets in the attack can be determined with the ‘-path’ command. This flexible feature gives attackers control over which files are encrypted and which are not.
Ymir allows attackers to prevent certain files from being encrypted by whitelisting them. This provides flexible control to threat actors who want to encrypt important data in the system. This feature, which Kaspersky experts observed in an attack against an organization in Colombia, allows ransomware to be selective about the data it targets.
RustyStealer and Credential Theft
Attackers use a malware called RustyStealer to steal company data from victims. By obtaining this information, attackers gain access to the organization’s system and infect the system with Ymir ransomware. This attack is notable for the fact that threat actors usually carry out their own attacks directly, rather than selling the obtained access on the Dark Web.
Cristian Souza of the Kaspersky Global Emergency Response Team stated that the threat actor behind the attack has not yet published the stolen data or made other requests. “This may indicate a new trend and reveal a strategy that reduces reliance on traditional Ransomware as a Service (RaaS) groups,” Souza said. He also noted that no group carrying out this ransomware has yet been identified in the underground market, which could be a harbinger of a new threat campaign.
Ymir Alarm in the world of cyber security
Kaspersky’s observations reveal that Ymir ransomware has created a new paradigm in cyberattacks. Its privacy features and targeted attack strategies indicate that Ymir may pose a significant threat to businesses in the future.
