menu
techminis

A naukri.com initiative

google-web-stories
Home

>

Malware News

>

Ymir: new ...
source image

Securelist

1M

read

362

img
dot

Image Credit: Securelist

Ymir: new stealthy ransomware in the wild

  • A new ransomware family named “Ymir” has been discovered in active use by hackers. The malware uses tactics such as encryption and PowerShell remote-control to achieve its goals.
  • The attackers gained control via PowerShell remote control commands, and successfully reduced system security before deploying Ymir.
  • Ymir performs a range of operations in memory using malloc, memmove, and memcmp function calls. It also uses CryptoPP functions to encrypt files.
  • Static analysis shows the binary has suspicious API calls to functions such as CryptAcquireContextA, CryptReleaseContext, CryptGenRandom, TerminateProcess and WinExec.
  • The malware also contains a hardcoded list of file name extensions to exclude from encryption.
  • Dynamic analysis reveals hundreds of calls to the memmove function, which are used to load small pieces of instructions into memory for performing malicious functions.
  • The artifact uses the stream cipher ChaCha20 algorithm to encrypt files and appends the extension '.6C5oy2dVr6' for each encrypted file.
  • The article also describes the RustyStealer threat used by the hackers for controlling the affected machines, and their use of PowerShell remote-control capabilities and SystemBC scripts.
  • Various Ymir TTP techniques have been identified, including Command and Scripting Interpreter: PowerShell and Data Encrypted for Impact.
  • Kaspersky products detect this new threat as Trojan-Ransom.Win64.Ymir.gen.

Read Full Article

like

21 Likes

For uninterrupted reading, download the app