Kaspersky’s Global Emergency Response Team has identified a previously unseen ransomware strain in active use, deployed in an attack following the theft of employee credentials. The ransomware, dubbed “Ymir”, employs advanced stealth and encryption methods. It also selectively targets files and attempts to evade detection.

Ymir ransomware introduces a unique combination of technical features and tactics that enhance its effectiveness.

Uncommon memory manipulation techniques for stealth. Threat actors leveraged an unconventional blend of memory management functions – malloc, memmove, and memcmp – to execute malicious code directly in the memory. This approach deviates from the typical sequential execution flow seen in widespread ransomware types, enhancing its stealth capabilities. Furthermore, Ymir is flexible; by using the --path command, attackers can specify a directory where the ransomware should search for files. If a file is on the whitelist, the ransomware will skip it and leave it unencrypted. This feature gives attackers more control over what is or isn’t encrypted.

Use of data-stealing malware. In the attack observed by Kaspersky experts, which took place on an organisation in Colombia, threat actors were observed using RustyStealer, a type of malware that steals information, to obtain corporate credentials from employees. These were then utilised to gain access to the organisation’s systems and maintain control long enough to deploy ransomware. This type of attack is known as initial access brokerage, where attackers infiltrate systems and sustain access. Typically, initial access brokers sell the access they gain on the dark web to other cybercriminals, but in this case, they appear to have continued the attack themselves by deploying ransomware.

If the brokers are indeed the same actors who deployed the ransomware, this could signal a new trend, creating additional hijacking options without relying on traditional Ransomware-as-a-Service (RaaS) groups,” explains Cristian Souza, Incident Response Specialist at Kaspersky Global Emergency Response Team.

Ymir’s ransom note
Advanced encryption algorithm. The ransomware employs ChaCha20, a modern stream cipher known for its speed and security, even outperforming Advanced Encryption Standard (AES).

Although the threat actor behind this attack has not shared any stolen data publicly or made further demands, researchers are closely monitoring it for any new activity. “We haven’t observed any new ransomware groups emerging in the underground market yet. Typically, attackers use shadow forums or portals to leak information as a way to pressure victims into paying the ransom, which is not the case with Ymir. Given this, the question of which group is behind the ransomware remains open, and we suspect this may be a new campaign,” elaborates Souza.

Looking for a name for the new threat, Kaspersky experts considered a Saturnian moon called Ymir. It is an “irregular” moon that travels in the opposite direction of the planet’s rotation – a trait that intriguingly resembles the unconventional blend of memory management functions used in the new ransomware.

Kaspersky products detect this ransomware as Trojan-Ransom.Win64.Ymir.gen. The company’s experts recommend the following general measures to mitigate ransomware attacks:

  • Implement a frequent backup schedule and conduct regular testing.
  • Provide employees with regular cybersecurity training to increase their awareness of cyber threats like data-stealing malware, and to teach effective mitigation strategies.
  • If you’ve fallen victim to ransomware and there is no known decryptor yet, save your critical encrypted files. A decryption solution may emerge within an ongoing threat research effort or if the authorities manage to seize control of the actor behind the threat.
  • It is recommended not to pay the ransom.  Paying encourages malware creators to continue their operations, but it doesn’t ensure the safe and reliable return of files.
  • To protect the company against a wide range of threats, use solutions like Kaspersky Next that provide real-time protection, threat visibility, investigation and the response capabilities of EDR and XDR for organisations of any size and industry.
  • Adopt managed security services by Kaspersky such as Compromise AssessmentManaged Detection and Response (MDR) and/or Incident Response, covering the entire incident management cycle - from threat identification to continuous protection and remediation. They help protect against evasive cyberattacks, investigate incidents and get additional expertise even if a company lacks security workers.

The detailed analysis of Ymir ransomware is presented on Securelist.