Kaspersky Finds New Ransomware Type Dubbed Ymir

Illustration of ransomware (photo: Pexels)

JAKARTA - The Kaspersky Global Emergency Response Team (Kaspersky's Global Emergency Response Team) has identified a new type of ransomware, which was previously invisible and actively used.

Dubbed the name "Ymir", this type of ransomware used in employee credentials theft attacks using advanced encryption and disguise methods.

In addition, this ransomware also selectively targets files and seeks to evade detection. The Ymir ransomware introduces a unique combination of technical features and tactics that increase their effectiveness. Among them are:

A memory manipulation technique that is not common for disguise. Threat actors take advantage of a mixture of unconventional memory management functions mloc, move, and trade to execute malicious codes directly within the memory.

The use of data-stealing malware (malware data-stealing). In the attacks observed by Kaspersky experts, which occurred in an organization in Colombia, cybercriminals were seen using AFTERstealer, a type of malware that stole information, to obtain corporate credentials from employees.

This information is then used to gain access to the organization's system and maintain control for a long time to deploy ransomware.

The encryption algorithm is advanced. The ransomware uses ChaCha20, a modern crypto stream known for its speed and security, even outperforms the Advanced Encryption Standard (AES).

Although the perpetrators of the threat behind this attack have not publicly shared any stolen data or made further demands, the researchers are closely monitoring it for any new activity.

We haven't observed any new ransomware groups appearing on the dark web yet. Given this, the question of which group is behind the ransomware still hasn't been found, and we suspect this may be a new campaign," explained Cristian Souza, Incident Response Specialist at Kaspersky Global Emergency Response Team.