A new ransomware called Ymir was discovered during an incident response case. It uses memory operations to evade detection and employs the ChaCha20 cipher for encryption. The attackers gained initial access via PowerShell commands and installed tools like Process Hacker before deploying Ymir. The ransomware encrypts files, appends the .6C5oy2dVr6 extension, and drops PDF ransom notes. It uses PowerShell to self-delete after execution. A test variant was also identified. The attack was preceded by infections with RustyStealer malware and SystemBC scripts used for data exfiltration. The incident highlights the connection between initial access brokers and ransomware groups.