A new strain of ransomware, named Ymir, has been flagged by cybersecurity researchers for its unusual use of memory management techniques to evade detection.
Ymir first appears on targeted systems just days after they are initially infected with another malware, RustyStealer, which steals sensitive information to enable further network compromise.
This sophisticated campaign uses unconventional memory functions, such as malloc, memmove, and memcmp, to execute its code directly in memory, a feature that enhances its stealth.
According to researchers, this method marks a departure from standard ransomware execution, giving Ymir an edge in avoiding traditional antivirus detection. The first instance of Ymir was observed in an attack on a corporate network in Colombia, where credentials stolen by RustyStealer were likely used to gain access and deploy the ransomware.
The attack involves various tools and scripts that contribute to its sophistication. Advanced IP Scanner and Process Hacker, commonly used for network discovery and process management, were reportedly installed during the breach.
Additionally, the attack utilized SystemBC malware scripts to create a covert data exfiltration channel, targeting files larger than 40 KB that were created after a specific date. Ymir’s encryption technique uses the ChaCha20 algorithm to lock files, appending the “.6C5oy2dVr6” extension to them.
Ymir offers attackers flexibility, allowing them to select specific directories and files to target or leave untouched by adjusting the ransomware’s command-line options. This selective targeting could be advantageous for threat actors who want to keep certain critical systems functional.
Meanwhile, another ransomware group behind Black Basta has employed innovative tactics, including impersonating IT support through Microsoft Teams messages to gain victims’ trust and convincing them to install remote access software.
Other methods include fake QR codes that redirect to malicious websites, highlighting the varied techniques ransomware groups use to infiltrate networks.
Other notable campaigns, including Akira and Fog, have exploited unpatched SonicWall SSL VPN vulnerabilities to access networks, demonstrating how unpatched systems remain a common attack vector. Despite fragmentation among ransomware groups due to law enforcement efforts, attacks remain steady, with 407 incidents reported in September 2024 across sectors like manufacturing and information technology.
In addition, politically motivated groups such as CyberVolk have been noted for using ransomware to retaliate in a political context, indicating the expanding reach of ransomware into different spheres beyond financial gain.
Governments are also adapting their responses; U.S. officials recently called on cyber insurance providers to stop reimbursing ransom payments, aiming to reduce incentives for organizations to pay attackers.
Organizations can better defend against ransomware like Ymir by enforcing strict access controls, especially monitoring credential usage and restricting the use of remote management tools.
Regular patching of network devices, along with advanced memory monitoring, can reduce exposure to memory-based threats. Employee training on identifying phishing attempts, coupled with endpoint security tools to detect unusual memory activities, can also help block initial access points commonly exploited in these attacks.