New Ymir ransomware discovered used together with RustyStealer | Securelist
NetmanageIT OpenCTI - opencti.netmanageit.com
SUMMARY :
A new ransomware called Ymir was discovered during an incident response case. It uses memory operations to evade detection and employs the ChaCha20 cipher for encryption. The attackers gained initial access via PowerShell commands and installed tools like Process Hacker before deploying Ymir. The ransomware encrypts files, appends the .6C5oy2dVr6 extension, and drops PDF ransom notes. It uses PowerShell to self-delete after execution. A test variant was also identified. The attack was preceded by infections with RustyStealer malware and SystemBC scripts used for data exfiltration. The incident highlights the connection between initial access brokers and ransomware groups.
OPENCTI LABELS :
powershell,ransomware,incident response,systembc,encryption,chacha20,rustystealer,ymir
Open in NetmanageIT OpenCTI Public Instance with below link!
Use public read only username and password on login page.
NOTE : Use Public READ only user credentials on login page banner.
New Ymir ransomware discovered used together with RustyStealer | Securelist