402/67 Wednesday, November 13, 2024
Researchers at Kaspersky have discovered a new type of ransomware called Ymir, which is being used in attacks alongside the RustyStealer malware. RustyStealer is a data-stealing program that infiltrates the victim’s system before deploying Ymir ransomware. Ymir targets networks containing sensitive information, with RustyStealer employing techniques to collect credentials and gain access through privileged accounts. Once Ymir is installed, it encrypts the system files and creates a ransom note in a PDF file to demand payment. It also modifies Windows system settings to display warning messages on the login screen, pressuring victims to comply with the hacker’s demands.
The Ymir ransomware is difficult to detect, operating in memory and using the ChaCha20 encryption algorithm, an advanced encryption technique that makes decryption challenging. Additionally, the malware scans the system for signs of PowerShell and deletes itself to evade detection in the final stage. Currently, there is no evidence of a data leak site for Ymir, which might indicate that the attackers are in the early stages of collecting victim data. If Ymir continues to evolve by incorporating data theft capabilities, it could become an even more severe threat.