Two major hacking groups are teaming up for dangerous new ransomware attacks
- Researchers have discovered a brand new Ymir ransomware
- This new species collaborated with a group that uses infostealers
- There is a chance that the entire operation was carried out by one actor
Recently, two hacking groups have been observed working together to infect a victim: one to establish initial persistence and steal information, and one to encrypt the systems and demand a ransomware payment.
Kaspersky researchers recently investigated such an incident in Colombia, where the unnamed company was first infected by RustyStealer, an information-stealing malware that can obtain login credentials, sensitive files, and more.
This part of the attack was likely carried out by a group of criminals who, once their part was done, handed over access to a second group.
Single actor?
The second group first made sure that the encryptor did not trigger any anti-virus or anti-malware alarms. To this end, they installed various tools, such as Process Hacker and AdvancedIP Scanner. “Ultimately, after reducing system security, the adversary ran Ymir to achieve its goals,” the researchers concluded.
Ymir is the name of both the encryptor and the threat actor behind it, and is also a relative newcomer to the ransomware space. The malware is also quite unique in that it operates entirely from memory and uses various functions such as ‘malloc’, ‘memove’ and ‘memcmp’ to avoid detection.
While teamwork is not a foreign word in the world of cybercrime, there is also a remote possibility that this entire operation was carried out by a single actor. In that case, this would mean a completely different approach to ransomware attacks, and potentially a notable change in the way ransomware attacks are carried out.
“If the brokers are indeed the same actors who deployed the ransomware, this could signal a new trend, opening up additional hijacking options without relying on traditional Ransomware-as-a-Service (RaaS) groups,” Kaspersky said researcher Cristian Souza.
In any case, it is possible that Ymir will grow into a formidable threat actor, infecting even more companies in the coming months.
Via The hacker news