Categories
Brand

New Ymir Ransomware Exploits Memory for Stealthy Attacks; Targets Corporate Networks

الثلاثاء، 12 نوفمبر 2024

The attack is notable for installing tools like Advanced IP Scanner and Process Hacker. Also utilized are two scripts that are part of the SystemBC malware and allow for setting up a covert channel to a remote IP address for exfiltrating files with a size greater than 40 KB that were created after a specified date.

The ransomware binary, for its part, uses the stream cipher ChaCha20 algorithm to encrypt files, appending the extension ".6C5oy2dVr6" to each encrypted file.

"Ymir is flexible: by using the --path command, attackers can specify a directory where the ransomware should search for files," Kaspersky said. "If a file is on the whitelist, the ransomware will skip it and leave it unencrypted. This feature gives attackers more control over what is or isn't encrypted."

The development comes as the attackers behind the Black Basta ransomware have been spotted using Microsoft Teams chat messages to engage with prospective targets and incorporating malicious QR codes to facilitate initial access by redirecting them to a fraudulent domain.

As part of the vishing attack, the threat actors instruct the victim to install remote desktop software such as AnyDesk or launch Quick Assist in order to obtain remote access to the system.

"The underlying motivation is likely to lay the groundwork for follow-up social engineering techniques, convince users to download remote monitoring and management (RMM) tools, and gain initial access to the targeted environment," ReliaQuest said. "Ultimately, the attackers' end goal in these incidents is almost certainly the deployment of ransomware."

The cybersecurity company said it also identified instances where the threat actors attempted to trick users by masquerading as IT support personnel and tricking them into using Quick Assist to gain remote access, a technique that Microsoft warned about in May 2024.

Ymir Ransomware

It's worth mentioning here that a previous iteration of the attack employed malspam tactics, inundating employees' inboxes with thousands of emails and then calling up the employee by posing as the company's IT help desk to purportedly help solve the issue.

Ransomware attacks involving Akira and Fog families have also benefited from systems running SonicWall SSL VPNs that are unpatched against CVE-2024-40766 to breach victim networks. As many as 30 new intrusions leveraging this tactic have been detected between August and mid-October 2024, per Arctic Wolf.

These events reflect the continued evolution of ransomware and the persistent threat it poses to organizations worldwide, even as law enforcement efforts to disrupt the cybercrime groups have led to further fragmentation.

Last month, Secureworks, which is set to be acquired by Sophos early next year, revealed that the number of active ransomware groups has witnessed a 30% year-over-year increase, driven by the emergence of 31 new groups in the ecosystem.

"Despite this growth in ransomware groups, victim numbers did not rise at the same pace, showing a significantly more fragmented landscape posing the question of how successful these new groups might be," the cybersecurity firm said.

Leave your comment
*
*