Skip to content

Novel Ymir ransomware targets enterprises with memory manipulation

  • by
  • 3 min read

Illustration: JMiks | Shutterstock

A new ransomware family named Ymir was recently discovered. This ransomware deploys sophisticated detection-evasion tactics, including memory manipulation and anti-forensics techniques.

According to cyber security experts, Ymir ransomware is distinct because it heavily relies on memory operations. It evades standard detection by primarily running in-memory code.

Ymir utilises common memory allocation and manipulation functions — malloc, memmove, and memcmp — to load and execute malicious instructions, reducing the digital footprint on disk and hindering detection by traditional endpoint security systems.

When researchers conducted a static analysis of the ransomware, they found that it imports functions from operating system libraries, including encryption and process termination functions. This allows Ymir to exploit Windows-native API calls, integrating seamlessly into the operating system and avoiding suspicion.

In the investigated case, attackers gained initial access through PowerShell remote commands. this allowed them to deploy auxiliary tools such as Process Hacker and Advanced IP Scanner to gather information and disable security measures before activating Ymir.

The attack chain of Ymir ransomware explained. | Source: Securelist

Once deployed, the ransomware uses the ChaCha20 encryption algorithm, appending the unique extension ‘.6C5oy2dVr6’ to each encrypted file. The malware then places a ransom note, embedded within a PSDF, across the compromised directories, instructing victims to contact the attackers for data recovery.

During runtime, Ymir makes hundreds of calls to the memmove function, executing segments of malicious code directly in memory. These calls enable Ymir to enumerate and encrypt directories and files within the compromised system. The ransomware also dynamically loads additional cryptographic libraries, enhancing its encryption capabilities while avoiding detection.

Researchers found that Ymir initiated PowerShell to delete itself post-execution, leaving minimal forensic evidence. The process tree analysis showed that PowerShell is used to execute a self-destruct command, thereby reducing traceability on the victim’s system.

Instructions provided to victims by Ymir ransomware operators for data recovery. | Source: Securelist

Further investigation traced the attackers’ initial access to an earlier intrusion using RustyStealer malware, a credential-stealing tool observed on domain controllers in the victim’s network. RustyStealer gave the attackers control over systems, enabling them to deploy additional malware, including he SystemBC proxy malware for covert communication.

PowerShell scripts associated with SystemBC were found to create communication channels to specific command-and-control (C2) servers. These servers facilitated data exfiltration potentially through HTTP or FTP, suggesting that the attackers may have extracted sensitive data prior to deploying Ymir.

The emergence of Ymir underscores the evolving relationship between credential-stealing botnets and ransomware operators. Researchers emphasise the necessity for layered security, real-time threat intelligence, and rapid incident response to mitigate future ransomware attacks of this nature.

In the News: ED to summon Flipkart, Amazon executives amid foreign investment probe

Kumar Hemant

Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: kumarhemant@pm.me

>