The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

Ymir Ransomware

Nov 18, 2024 2:19:58 PM / by The Hivemind

YMIRRelated Families: RustyStealer

Executive Summary

Ymir is a new ransomware family that was recently observed encrypting systems previously compromised by RustyStealer. PolySwarm analysts consider Ymir to be an emerging threat. 

Key Takeaways

  • Ymir is a new ransomware family that was recently observed encrypting systems previously compromised by RustyStealer. 
  • Ymir is unique for several reasons, including in-memory execution, use of the African Lingala language in the code comments, PDF ransom notes, and extension configuration options.
  • Using information stealers as initial access brokers may lead to a surge in Ymir attacks.
  • PolySwarm analysts consider Ymir to be an emerging threat. 

What is Ymir?

Ymir is a new ransomware family that was recently observed encrypting systems previously compromised by RustyStealer. PolySwarm analysts consider Ymir to be an emerging threat. Kaspersky reported on Ymir.  

Ymir has been active in the wild since July 2024. The threat actors behind Ymir targeted systems previously compromised by RustyStealer. They likely used stolen credentials for initial access to the target environment. Kaspersky noted Ymir’s use of information stealers as access brokers could lead to Ymir becoming a prolific ransomware family. 

Ymir is unique for several reasons, including in-memory execution, use of the African Lingala language in the code comments, PDF ransom notes, and extension configuration options. Ymir also includes detection evasion features. The threat actors use malloc, memmove, and memcmp memory management functions to execute malicious code directly in memory. 

When launched, Ymir performs system reconnaissance, which may help detect a sandbox environment. For file encryption, Ymir uses ChaCha20. Encrypted files are appended with a seemingly random extension, and a PDF file of the ransom note is placed in each directory containing encrypted files. Ymir also modifies the “legalnoticecaption” Windows Registry to display a ransom demand when a user attempts to login to the affected device. Following encryption, Ymir scans the system for PowerShell and uses it to delete its executable to help thwart detection and analysis. 

IOCs

PolySwarm has multiple samples associated with this activity.

 

7c00152cc68f0104e7436f9ce8b4c99e685d05f4361f50af307d4bfdbc90bca0

8287d54c83db03b8adcdf1409f5d1c9abb1693ac8d000b5ae75b3a296cb3061c

b087e1309f3eab6302d7503079af1ad6af06d70a932f7a6ae1421b942048e28a

 

You can use the following CLI command to search for all Ymir samples in our portal:

$ polyswarm link list -f Ymir

 

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.

 

Topics: Threat Bulletin, Ransomware, Extortion, RustyStealer, Ymir

The Hivemind

Written by The Hivemind

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts

Join the Marketplace

For Enterprises and Businesses

Learn More

For Security Experts and AV Companies

Learn More