New Ymir ransomware discovered used together with RustyStealer | Securelist

Nov. 11, 2024, 11:25 a.m.

Description

A new ransomware called Ymir was discovered during an incident response case. It uses memory operations to evade detection and employs the ChaCha20 cipher for encryption. The attackers gained initial access via PowerShell commands and installed tools like Process Hacker before deploying Ymir. The ransomware encrypts files, appends the .6C5oy2dVr6 extension, and drops PDF ransom notes. It uses PowerShell to self-delete after execution. A test variant was also identified. The attack was preceded by infections with RustyStealer malware and SystemBC scripts used for data exfiltration. The incident highlights the connection between initial access brokers and ransomware groups.

External References

https://securelist.com/new-ymir-ransomware-found-in-colombia/114493/
https://otx.alienvault.com/pulse/6731e6e06cc8432d76e8e4d7
Tags
ransomware
powershell
encryption
incident response
chacha20
systembc
2024-11-11
rustystealer
ymir

Date

  • Created: Nov. 11, 2024, 11:13 a.m.
  • Published: Nov. 11, 2024, 11:13 a.m.
  • Modified: Nov. 11, 2024, 11:25 a.m.

Indicators

  • cb88edd192d49db12f444f764c3bdc287703666167a4ca8d533d51f86ba428d8
  • b087e1309f3eab6302d7503079af1ad6af06d70a932f7a6ae1421b942048e28a
  • 8287d54c83db03b8adcdf1409f5d1c9abb1693ac8d000b5ae75b3a296cb3061c
  • 51ffc0b7358b7611492ef458fdf9b97f121e49e70f86a6b53b93ed923b707a03
  • 85.239.61.60
  • 94.158.244.69
  • 74.50.84.181
  • 5.255.117.134
  • http://94.158.244.69:443
  • http://74.50.84.181:443
  • http://5.255.117.134:80
  • trojan.msil.dnoper.sb
Download all indicators here!

Attack Patterns

  • RustyStealer
  • Ymir
  • SystemBC

Additional Informations

  • Colombia
  • Pakistan