Share This:

Cybersecurity Threat Advisory

A new ransomware family, Ymir, has been discovered. It is an unconventional combination of memory management functions (like malloc, memmove, and memcmp) that executes malicious code directly in the memory. Continue reading this Cybersecurity Threat Advisory to learn how to mitigate your risk.

What is the threat?

Ymir is a ransomware variant that allows for customizations. It uses the “-path” command to enable attackers to specify a directory where the ransomware should search for files. An ‘Allowed’ list file may be left unencrypted, giving attackers control over which files to encrypt. A recent cyberattack was observed to be using Ymir where the threat actors have previously delivered the RustyStealer malware to gather corporate credentials. It appears that the attack was orchestrated by two groups where the first group establishes the initial persistence and steal information; the second group then goes in to encrypt the systems.

Why is it noteworthy?

This ransomware variant uses tools such as Advanced IP Scanner and Process Hacker. The attack utilizes two scripts from the SystemBC malware, allowing attackers to set up covert channels to remote IP addresses for exfiltrating files of 40 kilobytes (KB) or greater. Ymir is also notable for its in-memory execution. In-memory execution is a technique malware uses to evade detection by antivirus software. It also uses PDF files as ransom notes as well as the African Lingala language in its coding.

What is the exposure or risk?

Ymir is a novel Windows ransomware strain that operates entirely from memory, so it is a threat to users with Windows Registry. A key risk associated with Ymir is that it is deployed once the RustyStealer is in place. RustyStealer had infiltrated numerous systems within the targeted infrastructure two days before Ymir’s deployment.

What are the recommendations?

Barracuda recommends the following actions to mitigate the effects of Ymir:

  • Employ an endpoint detection and response (EDR) solution, such as Barracuda XDR Endpoint Security, for proactive detection of malware and ransomware.
  • Backup your data to offline or cloud storage regularly.
  • Update security patches promptly to reduce vulnerability in your environment.

References

For more in-depth information on the above recommendations, please visit the following links:

If you have any questions about this Cybersecurity Threat Advisory, please contact Barracuda XDR’s Security Operations Center.


Share This:
Zachary Beaudet

Posted by Zachary Beaudet

Zachary is a Cybersecurity Analyst at Barracuda MSP. He's a security expert, working on our Blue Team within our Security Operations Center. Zachary supports our XDR service delivery and is highly skilled at analyzing security events to detect cyber threats, helping keep our partners and their customers protected.

Leave a reply

Your email address will not be published. Required fields are marked *