Two major hacking groups are teaming up for dangerous new ransomware attacks


  • Researchers spotted a brand new Ymir ransomware
  • This new strain teamed up with a group deploying infostealers
  • There is a chance that the entire operation was done by a single actor

Two hacking groups have been recently observed working together to infect a victim – one to establish initial persistence and steal information, and one to encrypt the systems and demand a ransomware payment.

Researchers from Kaspersky recently investigated one such incident in Colombia, where the unnamed company first got infected by RustyStealer, an infostealing malware capable of grabbing login credentials, sensitive files, and more.

This part of the attack was likely conducted by one set of criminals who, once their part was done, handed the access over to a second group.

Single actor?

The second group first made sure its encryptor doesn’t trigger any antivirus or antimalware alarms. To that end, they installed different tools, such as Process Hacker and AdvancedIP Scanner. “Eventually, after reducing system security, the adversary ran Ymir to achieve their goals,” the researchers conclude.

Ymir is the name of both the encryptor and the threat actor behind it, and is also a relatively new entrant in the ransomware space. The malware is quite unique, too, in that it operates entirely from memory, taking advantage of different functions such as ‘malloc’, ‘memove’, and ‘memcmp’ to prevent being detected.

While teamwork is not a foreign word in the world of cybercrime, there is also a slight possibility that this entire operation was done by a single actor. In that case, it would mark an entirely different approach to ransomware attacks, and possibly a notable shift in how ransomware attacks are conducted.

“If the brokers are indeed the same actors who deployed the ransomware, this could signal a new trend, creating additional hijacking options without relying on traditional Ransomware-as-a-Service (RaaS) groups,” Kaspersky researcher Cristian Souza said.

In any case, it is possible that Ymir will grow into a formidable threat actor, infecting more companies in the months to come.

Via The Hacker News

Related posts

Finance giant Finastra warns clients of potential data breach

Let’s keep in touch: TCL CSOT is the biggest name in display tech that you’ve probably never heard of

If this Sonos TV streaming box report is right, it’s doomed before it ever launches

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Read More