Get all your news in one place.
100’s of premium titles.
One app.
Start reading
TechRadar
TechRadar
Sead Fadilpašić

Two major hacking groups are teaming up for dangerous new ransomware attacks

Kaspersky
A laptop with a red screen with a white skull on it with the message: "RANSOMWARE. All your files are encrypted.".
  • Researchers spotted a brand new Ymir ransomware
  • This new strain teamed up with a group deploying infostealers
  • There is a chance that the entire operation was done by a single actor

Two hacking groups have been recently observed working together to infect a victim - one to establish initial persistence and steal information, and one to encrypt the systems and demand a ransomware payment.

Researchers from Kaspersky recently investigated one such incident in Colombia, where the unnamed company first got infected by RustyStealer, an infostealing malware capable of grabbing login credentials, sensitive files, and more.

This part of the attack was likely conducted by one set of criminals who, once their part was done, handed the access over to a second group.

Single actor?

The second group first made sure its encryptor doesn’t trigger any antivirus or antimalware alarms. To that end, they installed different tools, such as Process Hacker and AdvancedIP Scanner. “Eventually, after reducing system security, the adversary ran Ymir to achieve their goals,” the researchers conclude.

Ymir is the name of both the encryptor and the threat actor behind it, and is also a relatively new entrant in the ransomware space. The malware is quite unique, too, in that it operates entirely from memory, taking advantage of different functions such as ‘malloc’, ‘memove’, and ‘memcmp’ to prevent being detected.

While teamwork is not a foreign word in the world of cybercrime, there is also a slight possibility that this entire operation was done by a single actor. In that case, it would mark an entirely different approach to ransomware attacks, and possibly a notable shift in how ransomware attacks are conducted.

"If the brokers are indeed the same actors who deployed the ransomware, this could signal a new trend, creating additional hijacking options without relying on traditional Ransomware-as-a-Service (RaaS) groups," Kaspersky researcher Cristian Souza said.

In any case, it is possible that Ymir will grow into a formidable threat actor, infecting more companies in the months to come.

Via The Hacker News

You might also like

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
One subscription that gives you access to news from hundreds of sites
Already a member? Sign in here
Our Picks
"Worm": Keith Lee shuts down sushi joint
FOB Sushi Bar has closed its Bellevue and Seattle restaurant locations
Salon
Salon
I don't watch a lot of anime, but even I’m shocked that Scott Pilgrim Takes Off has been canceled by Netflix
One of the best anime series Scott Pilgrim Takes Off has been canceled by Netflix after one season.
TechRadar
TechRadar
Coachella 2025 has unveiled its full lineup with Post Malone, Green Day and Lady Gaga
Green Day, Post Malone and Lady Gaga have been announced as headliners for Coachella 2025.
BANG Premier
BANG Premier
People around world associate rolled R with a jagged line, study finds
Speakers of 28 languages linked sound and shape at least 88% of the time, in ‘strongest case of sound symbolism to date’
The Guardian - UK
The Guardian - UK
8 revelations from Cher's memoir
Cher details some of the famous people she grew up with and the desperation she felt being married to Sonny Bono
Salon
Salon
Trump's Grammatical Time Machine
The president-elect uses conditional grammar to craft self-fulfilling speculative historical fiction.
Reason
Reason
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.
Download on the AppStore Get it on Google Play