Researchers spotted a brand new Ymir ransomwareThis new strain teamed up with a group deploying infostealersThere is a chance that the entire operation was done by a single actor
Two hacking groups have been recently observed working together to infect a victim – one to establish initial persistence and steal information, and one to encrypt the systems and demand a ransomware payment.
Researchers from Kaspersky recently investigated one such incident in Colombia, where the unnamed company first got infected by RustyStealer, an infostealing malware capable of grabbing login credentials, sensitive files, and more.
This part of the attack was likely conducted by one set of criminals who, once their part was done, handed the access over to a second group.
Single actor?
The second group first made sure its encryptor doesn’t trigger any antivirus or antimalware alarms. To that end, they installed different tools, such as Process Hacker and AdvancedIP Scanner. “Eventually, after reducing system security, the adversary ran Ymir to achieve their goals,” the researchers conclude.
Ymir is the name of both the encryptor and the threat actor behind it, and is also a relatively new entrant in the ransomware space. The malware is quite unique, too, in that it operates entirely from memory, taking advantage of different functions such as ‘malloc’, ‘memove’, and ‘memcmp’ to prevent being detected.
While teamwork is not a foreign word in the world of cybercrime, there is also a slight possibility that this entire operation was done by a single actor. In that case, it would mark an entirely different approach to ransomware attacks, and possibly a notable shift in how ransomware attacks are conducted.
“If the brokers are indeed the same actors who deployed the ransomware, this could signal a new trend, creating additional hijacking options without relying on traditional Ransomware-as-a-Service (RaaS) groups,” Kaspersky researcher Cristian Souza said.
In any case, it is possible that Ymir will grow into a formidable threat actor, infecting more companies in the months to come.
Via The Hacker News
You might also like
Halliburton hit by cyberattack disrupting operationsHere’s a list of the best firewalls todayThese are the best endpoint protection tools right now