Today > | 3 Medium | 2 Low vulnerabilities   -   You can now download lists of IOCs here!

New Ymir ransomware discovered used together with RustyStealer

Nov. 11, 2024, 9:55 p.m.

Description

A new ransomware called Ymir was discovered during an incident response case. It uses memory operations to evade detection and employs the ChaCha20 cipher for encryption. The attackers gained initial access via PowerShell commands and installed tools like Process Hacker before deploying Ymir. The ransomware encrypts files, appends the .6C5oy2dVr6 extension, and drops PDF ransom notes. It uses PowerShell to self-delete after execution. A test variant was also identified. The attack was preceded by infections with RustyStealer malware and SystemBC scripts used for data exfiltration. The incident highlights the connection between initial access brokers and ransomware groups.

Date

Published: Nov. 11, 2024, 11:13 a.m.

Created: Nov. 11, 2024, 11:13 a.m.

Modified: Nov. 11, 2024, 9:55 p.m.

Attack Patterns

RustyStealer

Ymir

SystemBC

T1497.003

T1059.001

T1070.004

T1486

T1129

T1082

T1057

T1083

T1027

Additional Informations

Colombia

Pakistan