A newly identified ransomware variant, named ‘Ymir,’ has emerged in the cyber landscape, targeting systems that had previously been compromised by the RustyStealer infostealer malware. RustyStealer, a malware family recognized since 2021, now being associated with ransomware, exemplifies the growing trend of collaboration among cybercriminal enterprises.
Researchers from Kaspersky, who uncovered Ymir during an incident response, have highlighted several distinctive characteristics of this ransomware strain, including its execution in memory, the incorporation of the African Lingala language in a code comment, the use of PDF files as ransom notes, and its various extension configuration options.
While Kaspersky has identified indications that Ymir may connect to external servers potentially for data exfiltration, it is important to note that the ransomware itself does not possess this capability. BleepingComputer has reported that the ransomware operation commenced in July 2024, initiating attacks on companies globally.
Ymir follows RustyStealer infections
Kaspersky’s investigation indicated that Rusty Stealer had breached several systems within the targeted infrastructure two days prior to the deployment of Ymir. Rusty Stealer, primarily a credential-harvesting tool, allowed attackers to obtain unauthorized access to systems by compromising legitimate high-privilege accounts, which facilitated lateral movement within the network.
The attackers employed tools such as Windows Remote Management (WinRM) and PowerShell for remote control, while also installing additional utilities like Process Hacker and Advanced IP Scanner. Subsequently, they executed scripts linked to the SystemBC malware and established covert communication channels, likely for data exfiltration or command execution, with their infrastructure.
After securing their presence and potentially exfiltrating data using Rusty Stealer, the Ymir ransomware was deployed as the final payload. Ymir represents a new strain of Windows ransomware that operates entirely in memory, utilizing functions such as ‘malloc,’ ‘memmove,’ and ‘memcmp’ to avoid detection. Upon activation, it conducts system reconnaissance by retrieving the system date and time, identifying active processes, and assessing system uptime, which aids in determining whether it is operating within a sandbox environment.
Initially, it omits file extensions based on a predefined list to prevent rendering the system unbootable. Ymir employs the ChaCha20 stream cipher, a sophisticated and efficient encryption algorithm, to secure files on the compromised system. The encrypted files receive a random extension, such as “.6C5oy2dVr6,” and a ransom note titled “INCIDENT_REPORT.pdf” is created from the “.data” section of the Ymir binary in all directories that contain encrypted files.
Additionally, the ransomware alters the Windows Registry “legalnoticecaption” value to display an extortion message prior to user login on an encrypted device. The ransom note asserts that data has been exfiltrated from the victim’s system, with Kaspersky suggesting that this may have been facilitated by tools utilized before the deployment of Ymir. Ultimately, Ymir conducts a scan of the system for PowerShell and utilizes it to remove its executable, thereby avoiding detection and analysis.