On November 11, 2024, Kaspersky's Global Emergency Response Team made headlines by uncovering a previously unseen ransomware strain known as 'Ymir.' This new malware strain showcases advanced stealth capabilities, specifically designed to evade detection while executing its malicious tasks.
Ymir has demonstrated a sophisticated approach, employing unique technical features that enhance its effectiveness in bypassing security measures. "Threat actors leveraged an unconventional blend of memory management functions – malloc, memmove, and memcmp – to execute malicious code directly in memory," said Cristian Souza, Incident Response Specialist at Kaspersky's Global Emergency Response Team. This tactic diverges from the traditional sequential execution flow that is commonly observed in most ransomware.
"Threat actors leveraged an unconventional blend of memory management functions – malloc, memmove, and memcmp – to execute malicious code directly in memory,"
Additionally, Ymir introduces a flexibility feature. Using the --path command, attackers can specify directories for the ransomware to search for files, while those on a whitelist will remain unencrypted. This allows attackers to exert greater control over the encryption process, targeting only specific files.
The attack in which Ymir was identified took place in Colombia, where attackers utilized RustyStealer malware to first obtain employee credentials. "These were then utilized to gain access to the organization's systems and maintain control long enough to deploy ransomware," elaborated Souza. This tactic highlights a disturbing trend known as initial access brokerage, where attackers establish footholds in corporate systems and then broker that access either for profit on the dark web or, in this case, to launch further attacks themselves.
"These were then utilized to gain access to the organization's systems and maintain control long enough to deploy ransomware,"
"If the brokers are indeed the same actors who deployed the ransomware, this could signal a new trend, creating additional hijacking options without relying on traditional Ransomware-as-a-Service (RaaS) groups," explained Souza.
"If the brokers are indeed the same actors who deployed the ransomware, this could signal a new trend, creating additional hijacking options without relying on traditional Ransomware-as-a-Service (RaaS) groups,"
Ymir employs the ChaCha20 encryption algorithm, recognized as a modern stream cipher noted for both speed and security, even outperforming the Advanced Encryption Standard (AES). As of now, while the perpetrators have not disclosed stolen data or made ransom demands, the Kaspersky team continues to monitor the situation closely. "We haven’t observed any new ransomware groups emerging in the underground market yet," Souza stated, adding that the absence of publicly leaked information about the ransomware also raises questions about its authorship and intent.
"We haven’t observed any new ransomware groups emerging in the underground market yet,"
Kaspersky named this new threat 'Ymir' after a Saturnian moon known for its irregular orbit, likening it to the unconventional methods used in this ransomware. The analysis of this threat is detailed on Kaspersky's Securelist platform.
In light of Ymir's emergence, Kaspersky products can identify it as Trojan-Ransom.Win64.Ymir.gen, and the company has provided recommendations for mitigating ransomware risks. "Adopt managed security services by Kaspersky such as Compromise Assessment and Managed Detection and Response (MDR), which cover the entire incident management cycle from threat identification to continuous protection and remediation," urged company experts.
"Adopt managed security services by Kaspersky such as Compromise Assessment and Managed Detection and Response (MDR), which cover the entire incident management cycle from threat identification to continuous protection and remediation,"
Further recommendations include utilizing solutions from the Kaspersky Next product line to achieve real-time protection against an assortment of threats. Organizations should consider their current cybersecurity needs when selecting products, which provide the flexibility to evolve as requirements change. Additionally, it is critical to minimize the attack surface by disabling any unnecessary services and ports.
Kaspersky experts also strongly advise against paying the ransom, noting that it does not guarantee the safe return of files and only serves to incentivize further criminal activity. For organizations that have already fallen victim to ransomware, the roadmap to recovery includes establishing robust incident response protocols and seeking expertise to navigate the aftermath.
