November 12, 2024 at 02:06AM
Cybersecurity researchers have identified a new ransomware, Ymir, linked to an attack in Colombia after compromised systems by RustyStealer malware. Ymir’s unique features enhance stealth, utilizing advanced memory functions. Despite the rise in ransomware groups, there was a 10% drop in attacks month-over-month, prompting discussions on countermeasures, including insurance policy reforms.
### Meeting Takeaways on Recent Cybersecurity Trends
**1. Introduction of Ymir Ransomware:**
– A new ransomware variant named Ymir has been identified, deployed shortly after an attack involving RustyStealer malware in Colombia.
– Ymir utilizes unique memory management functions to enhance its stealth and effectiveness, directly executing malicious code in memory.
**2. Attack Mechanism:**
– Attackers gathered corporate credentials using RustyStealer, facilitating unauthorized network access to deploy Ymir ransomware.
– Kaspersky’s insight indicates a potential trend where the same actors may handle both the credential theft and ransomware deployment, deviating from traditional Ransomware-as-a-Service models.
**3. Tools and Techniques Used:**
– Attackers installed tools such as Advanced IP Scanner and Process Hacker, along with scripts from SystemBC malware for covert file exfiltration.
– Ymir encrypts files using the ChaCha20 algorithm and appends a unique extension for identification. It can also skip files on a whitelist, providing attackers with selective control over encryption.
**4. Evolving Tactics from Other Ransomware Groups:**
– Attackers from the Black Basta group are now using Microsoft Teams for communication and employing malicious QR codes for access.
– Techniques such as vishing and impersonation as IT support have been used to gain remote access via software like AnyDesk and Quick Assist.
**5. Vulnerabilities Targeted:**
– Ransomware families Akira and Fog are exploiting unpatched SonicWall SSL VPNs, leading to a notable increase in incidents in recent months.
**6. Growth and Fragmentation of Ransomware Groups:**
– The active ransomware group count has surged 30% year-over-year, with 31 new groups emerging despite a decline in the overall number of victims.
– Reports indicate 407 ransomware cases in September 2024, a decline from 450 in August; however, this is still higher than the same period last year.
**7. Politically Motivated Attacks:**
– Hacktivist groups like CyberVolk are using ransomware for politically motivated attacks as a form of retaliation.
**8. U.S. Government Response:**
– U.S. officials are advocating for changes in cyber insurance policies to discourage ransom payments, as these practices support the maintenance of cybercrime ecosystems.
### Next Steps:
– Monitor developments regarding Ymir ransomware and emerging security threats.
– Evaluate cybersecurity policies and disaster recovery plans in light of these evolving tactics and trends.
– Remain vigilant in training employees on identifying phishing and vishing attempts.