A new ransomware strain called 'Ymir' has emerged, encrypting systems already compromised by the RustyStealer malware. RustyStealer, known since 2021 as a credential-stealing tool, has now been observed collaborating with ransomware, showing an increasing trend of cybercriminal partnerships. Kaspersky researchers identified Ymir during an incident response and noted its unique traits: in-memory execution, the use of the Lingala language in code, ransom notes in PDF format, and configurable file extension settings. While Ymir connects to external servers, Kaspersky did not find evidence of built-in data exfiltration capability.
RustyStealer typically infiltrated systems days before Ymir's deployment, aiding attackers in obtaining access through compromised high-privilege accounts and enabling lateral movement using tools like WinRM and PowerShell. Once entrenched, attackers dropped Ymir as the final payload, employing the ChaCha20 cipher for rapid file encryption and generating ransom notes titled "INCIDENT_REPORT.pdf." The ransomware also modifies Windows Registry settings to show extortion messages before login. Although Ymir has no data leak site at present, Kaspersky suggests that its use of access brokers could signal a growing threat.
Read more...