New Ymir ransomware discovered used together with RustyStealer | Securelist
Nov. 11, 2024, 11:25 a.m.
Tags
External References
Description
A new ransomware called Ymir was discovered during an incident response case. It uses memory operations to evade detection and employs the ChaCha20 cipher for encryption. The attackers gained initial access via PowerShell commands and installed tools like Process Hacker before deploying Ymir. The ransomware encrypts files, appends the .6C5oy2dVr6 extension, and drops PDF ransom notes. It uses PowerShell to self-delete after execution. A test variant was also identified. The attack was preceded by infections with RustyStealer malware and SystemBC scripts used for data exfiltration. The incident highlights the connection between initial access brokers and ransomware groups.
Date
Published: Nov. 11, 2024, 11:13 a.m.
Created: Nov. 11, 2024, 11:13 a.m.
Modified: Nov. 11, 2024, 11:25 a.m.
Indicators
cb88edd192d49db12f444f764c3bdc287703666167a4ca8d533d51f86ba428d8
b087e1309f3eab6302d7503079af1ad6af06d70a932f7a6ae1421b942048e28a
8287d54c83db03b8adcdf1409f5d1c9abb1693ac8d000b5ae75b3a296cb3061c
51ffc0b7358b7611492ef458fdf9b97f121e49e70f86a6b53b93ed923b707a03
85.239.61.60
94.158.244.69
74.50.84.181
5.255.117.134
http://94.158.244.69:443
http://74.50.84.181:443
http://5.255.117.134:80
trojan.msil.dnoper.sb
Attack Patterns
RustyStealer
Ymir
SystemBC
T1497.003
T1059.001
T1070.004
T1486
T1129
T1082
T1057
T1083
T1027
Additional Informations
Colombia
Pakistan