One Article Review
| Source |  RiskIQ |
|---|---|
| Identifiant | 8610633 |
| Date de publication | 2024-11-13 20:50:44 (vue: 2024-11-13 21:12:54) |
| Titre | Ymir: New Stealthy Ransomware in the Wild |
| Texte | ## Snapshot Researchers at Kaspersky have identified a new ransomware family named "Ymir," which evades detection by performing operations in memory and uses the ChaCha20 algorithm for file encryption. ## Description The attackers initially gained access through PowerShell remote control commands, installed reconnaissance tools like Process Hacker and Advanced IP Scanner, and reduced system security before executing Ymir. The ransomware generates a ransom note in PDF format in every directory, falsely claiming data theft, although it lacks network capabilities. Instead, data theft is suggested to occur through other means, as indicated by the presence of a separate threat, RustyStealer, which allows attackers to control machines and gather information. In a related incident in Colombia, attackers compromised a domain controller using credentials obtained by RustyStealer, moved laterally within the network using WinRM and PowerShell, and executed scripts associated with the proxy malware SystemBC. These scripts established covert channels to C2 servers for data exfiltration. The initial RustyStealer sample was a PE file named "AudioDriver2.0.exe" and connected to a C2 server active since August 2024. Ymir\'s deployment was followed by efforts to cover tracks, including searching for PowerShell to delete itself after execution. The Ymir ransomware is currently undecryptable, and no dedicated leak site has been presented by the attackers. The analysis revealed a link between malware stealer botnets acting as access brokers and ransomware execution, with TTPs for both Ymir and RustyStealer provided, including file and directory discovery, system information discovery, PowerShell scripting, data encryption for impact, and evasion techniques. ## Recommendations Microsoft recommends the following mitigations to defend against this threat: - Keep software up to date. Apply new security patches as soon as possible. - Turn on [cloud-delivered protection](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/configure-block-at-first-sight-microsoft-defender-antivirus?ocid=magicti_ta_learndoc) in Microsoft Defender Antivirus, or the equivalent for your antivirus product, to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a majority of new and unknown variants. - Enable [network protection](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/enable-network-protection?view=o365-worldwide?ocid=magicti_ta_learndoc) to help prevent access to malicious domains. - Run endpoint detection and response [(EDR) in block mode](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/edr-in-block-mode?ocid=magicti_ta_learndoc) so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach. - Configure [investigation and remediation](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/automated-investigations?ocid=magicti_ta_learndoc) in full automated mode to allow Microsoft Defender for Endpoint to take immediate action on alerts to resolve breaches, significantly reducing alert volume. - Read our [ransomware threat overview](https://security.microsoft.com/threatanalytics3/05658b6c-dc62-496d-ad3c-c6a795a33c27/analystreport) for advice on developing a holistic security posture to prevent ransomware, including credential hygiene and hardening Microsoft Defender customers can turn on [attack surface reduction rules](https://learn.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction?ocid=magicti_ta_learndoc) to help prevent common attack techniques used by Onyx Sleet: - [Block executable files from running unless they meet a prevalence, age, or trusted list criterion](https://learn.microsoft.co |
| Notes | ★★ |
| Envoyé | Oui |
| Condensat | **© 2024 2024** 365/security/defender 496d access accessed acting action active ad3c advanced advice after against age alert alerts algorithm all allow allows although analysis antivirus any apply are artifacts associated attack attacker attackers audiodriver2 august automated based been before behind between block both botnets breach breaches brokers c6a795a33c27/analystreport can capabilities chacha20 channels claiming cloud colombia colombia/114493/ com/defender com/microsoft com/new com/threatanalytics3/05658b6c commands common compromised configure connected content control controller copyright cover covert credential credentials criterion currently customers data date dc62 dedicated defend defender delete delivered deployment description detect detected detection developing directory discovery distribution does domain domains downloaded edr efforts enable encryption endpoint endpoint/attack endpoint/automated endpoint/configure endpoint/edr endpoint/enable equivalent established evades evasion even every evolving exe executable executed executing execution exfiltration falsely family file files first followed following format found from full gained gather generates hacker hardening has have help holistic https://learn https://securelist https://security hygiene identified immediate impact incident including indicated information initial initially installed instead investigation investigations itself javascript kaspersky keep lacks laterally launching leak learndoc learndoc#block learndoc#use learning like link list machine machines majority malicious malware means meet memory microsoft mitigations mode moved named network new non not note obfuscated obtained occur ocid=magicti onyx operations other our overview part passive patches pdf performing permission possible post posture potentially powershell presence presented prevalence prevent process product prohibited protection protections provided proxy ransom ransomware rapidly read recommendations recommends reconnaissance reduced reducing reduction reference references related remediate remediation remote reproduction researchers reserved resolve response revealed rights rules run running rustystealer sample scanner scenes scripting scripts searching security separate server servers sight significantly since site sleet: snapshot software soon stealer stealthy suggested surface system systembc take techniques theft thereof these threat threat: through tools tracks trusted ttps turn undecryptable unknown unless use used uses using variants vbscript view=o365 volume when which wild winrm within without works worldwide written ymir ymir: your for in in so |
| Tags | Ransomware Malware Tool Threat |
| Stories | APT 45 |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.