Operators of the newly emergent Ymir ransomware and RustyStealer information-stealing malware have joined hands in new attacks, according to BleepingComputer.
Numerous systems have been initially targeted with the RustyStealer credential-harvesting tool to facilitate high-privilege account compromise and lateral movement prior to the execution of SystemBC malware-related scripts and exfiltration of data over two days, an analysis from Kaspersky researchers showed. Attackers then proceeded with the deployment of the Ymir ransomware, which conducts system reconnaissance and skips file extensions before encrypting files using the ChaCha20 stream cipher, Kaspersky researchers reported. Aside from changing the Windows Registry "legalnoticecaption" value to display the demanded ransom, Ymir ransomware also enabled executable removal through the detection of PowerShell within the targeted system. Despite its lack of a leak site, Ymir ransomware could prove to be a severe cybersecurity threat due to its utilization of infostealing payloads as access brokers, according to researchers.