of stealthy in-memory exploits, combined with selective file encryption and malicious routines executed before payload deployment, resulting in the evasion of intrusion detection.”<\/p>\n
Ymir utilizes fileless execution through script-based launchers and payloads hidden within the victim’s computer memory.<\/p>\n
These techniques render traditional signature-based defensive measures quite ineffective.<\/p>\n
Ymir’s memory-resident nature obliges it to encrypt files during its first execution itself as it disappears from the system memory after a reboot, leaving few traces behind.<\/p>\n
This lends it a stealthy profile that aids in sneaking past various intrusion detection systems.<\/p>\n
Ymir typically follows a two-stage attack process.<\/p>\n
The first stage involves a seemingly benign executable (.exe) using AutoIt (a freeware automation language) to unpack and unencrypt a PowerShell script.<\/p>\n
The script then downloads a secondary payload from a remote server and executes it directly in memory.<\/p>\n
This modus operandi evades detection, as the malware never writes the secondary payload to disk.<\/p>\n
The second stage is rather unique where Ymir prioritizes encryption of corporate file types such as .docx, .xlsx, and .pptx.<\/p>\n
However, in a novel departure from typical ransomware behavior, it avoids encrypting system files that might alert administrators with system errors.<\/p>\n
A large-scale IT company recently fell victim to an Ymir ransomware attack.<\/p>\n
Personal files and vital company databases exceeded 10TB of data encrypted overnight.<\/p>\n
Although they had beefed up security measures, due to the sophisticated tactics employed by Ymir, intrusion was undetected.<\/p>\n
Cybersecurity experts suggest a multi-fold approach to deal with threats like Ymir.<\/p>\n
Experts advocate deploying advanced endpoint detection and response (EDR) measures capable of detecting anomalies in system behavior should receive priority.<\/p>\n
Enterprises should adopt prevention techniques such as regular patching of software, restricting PowerShell use, and staff education on phishing scams.<\/p>\n
1.<\/p>\n
Russian cybersecurity vendor Kaspersky: https:\/\/www.kaspersky.com\/about\/press-releases\/2021ymir-ransomware<\/a><\/p>\n 1.<\/p>\n Advanced endpoint detection and response (EDR) measures: https:\/\/www.gartner.com\/en\/information-technology\/glossary\/endpoint-detection-and-response-edr<\/a><\/p>\n 2.<\/p>\n The importance of regular software patching: https:\/\/www.csoonline.com\/article\/3235944\/why-patching-is-still-a-problem-and-how-to-fix-it.html<\/a><\/p>\n 3.<\/p>\n
\nFollow-Up Reading:<\/h2>\n