A new ransomware called Ymir was discovered during an incident response case. It uses memory operations to evade detection and employs the ChaCha20 cipher for encryption. The attackers gained initial access via PowerShell commands and installed tools like Process Hacker before deploying Ymir. The ransomware encrypts files, appends the .6C5oy2dVr6 extension, and drops PDF ransom notes. It uses PowerShell to self-delete after execution. A test variant was also identified. The attack was preceded by infections with RustyStealer malware and SystemBC scripts used for data exfiltration. The incident highlights the connection between initial access brokers and ransomware groups. Author: AlienVault
Related Tags:
Ymir
T1497.003
encryption
incident response
T1070.004
chacha20
Colombia
T1059.001
systembc
Associated Indicators:
51FFC0B7358B7611492EF458FDF9B97F121E49E70F86A6B53B93ED923B707A03
CB88EDD192D49DB12F444F764C3BDC287703666167A4CA8D533D51F86BA428D8
8287D54C83DB03B8ADCDF1409F5D1C9ABB1693AC8D000B5AE75B3A296CB3061C
3648359EBAE8CE7CACAE1E631103659F5A8C630E
F954D1B1D13A5E4F62F108C9965707A2AA2A3C89
E6C4D3E360A705E272AE0B505E58E3D928FB1387
FE6DE75D6042DE714C28C0A3C0816B37E0FA4BB3
8287D54C83DB03B8ADCDF1409F5D1C9ABB1693AC
5384D704FADF229D08EAB696404CBBA6