A naukri.com initiative
Securelist
3d
319
Image Credit: Securelist
Ymir: new stealthy ransomware in the wild
- A new ransomware family named “Ymir” has been discovered in active use by hackers. The malware uses tactics such as encryption and PowerShell remote-control to achieve its goals.
- The attackers gained control via PowerShell remote control commands, and successfully reduced system security before deploying Ymir.
- Ymir performs a range of operations in memory using malloc, memmove, and memcmp function calls. It also uses CryptoPP functions to encrypt files.
- Static analysis shows the binary has suspicious API calls to functions such as CryptAcquireContextA, CryptReleaseContext, CryptGenRandom, TerminateProcess and WinExec.
- The malware also contains a hardcoded list of file name extensions to exclude from encryption.
- Dynamic analysis reveals hundreds of calls to the memmove function, which are used to load small pieces of instructions into memory for performing malicious functions.
- The artifact uses the stream cipher ChaCha20 algorithm to encrypt files and appends the extension '.6C5oy2dVr6' for each encrypted file.
- The article also describes the RustyStealer threat used by the hackers for controlling the affected machines, and their use of PowerShell remote-control capabilities and SystemBC scripts.
- Various Ymir TTP techniques have been identified, including Command and Scripting Interpreter: PowerShell and Data Encrypted for Impact.
- Kaspersky products detect this new threat as Trojan-Ransom.Win64.Ymir.gen.
Read Full Article
19 Likes
For uninterrupted reading, download the app