{
	"id": "19b62b89-fbe5-4758-8d24-890adcea01db",
	"created_at": "2026-04-06T00:13:57.242053Z",
	"updated_at": "2026-04-10T03:21:39.290887Z",
	"deleted_at": null,
	"sha1_hash": "16a0deba6f5dec9a13188835469c571852735cd3",
	"title": "Ymir: new stealthy ransomware in the wild",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2370163,
	"plain_text": "Ymir: new stealthy ransomware in the wild\r\nBy Cristian Souza\r\nPublished: 2024-11-11 · Archived: 2026-04-05 17:10:00 UTC\r\nIntroduction\r\nIn a recent incident response case, we discovered a new and notable ransomware family in active use by the\r\nattackers, which we named “Ymir”. The artifact has interesting features, including a large set of operations\r\nperformed in memory with the help of the malloc, memmove and memcmp function calls.\r\nIn the case we analyzed, the attacker was able to gain access to the system via PowerShell remote control\r\ncommands. After that, they installed multiple tools for malicious actions, such as Process Hacker and Advanced IP\r\nScanner. Eventually, after reducing system security, the adversary ran Ymir to achieve their goals.\r\nIn this post, we provide a detailed analysis of the Ymir ransomware, as well the tactics, techniques and procedures\r\n(TTPs) employed by the attackers.\r\nAnalysis\r\nStatic analysis\r\nOur analysis began with a basic inspection of the artifact. We started by analyzing its properties, such as the file\r\ntype, and relevant strings and capabilities, as shown in the table and images below.\r\nFile type identification\r\nAlthough the binary does not raise suspicions of being packed, as its entropy is not high enough, the presence of\r\nAPI calls to functions like malloc, memmove and memcmp indicates that it can allocate memory to perform\r\nmalicious functions.\r\nhttps://securelist.com/new-ymir-ransomware-found-in-colombia/114493/\r\nPage 1 of 18\n\nCalls for memory operation functions\r\nThe binary also suspiciously imports functions, such as CryptAcquireContextA, CryptReleaseContext,\r\nCryptGenRandom, TerminateProcess and WinExec, from operating system libraries. These API calls are typically\r\nfound in various ransomware samples.\r\nSuspicious malware imports\r\nEven though most of the sample information is unpacked in memory during runtime, we were able to find some\r\nuseful indicators in the binary strings, including the ransom note filename and contents in a PDF file, encryption\r\nextension, PowerShell commands, and some hexadecimal integers used by the encryption algorithms, as shown in\r\nthe following images.\r\nPDF contents\r\nhttps://securelist.com/new-ymir-ransomware-found-in-colombia/114493/\r\nPage 2 of 18\n\nPowerShell auto-delete command and hexadecimal integers\r\nThe attacker used the MinGW compiler, a native Windows port of the GNU Compiler Collection (GCC).\r\nCompiler string\r\nThe following table shows other useful string indicators we found in the course of our analysis.\r\nType Value Description\r\nString\r\n(command)\r\npowershell -w h -c Start-Sleep -Seconds 5; Remove-Item -Force -Path\r\nAuto-delete\r\ncommand execution\r\nvia PowerShell.\r\nString\r\n(URL)\r\nhxxps://github[.]com/qTox/qTox/releases/download/v1.17.6/setup-qtox-x86_64-release.exe\r\nPresent in the PDF,\r\nsoftware (qTox\r\nclient) for\r\ncontacting the\r\nattackers.\r\nString 6C5oy2dVr6\r\nEncryption\r\nextension.\r\nString\r\n(filename)\r\nINCIDENT_REPORT.pdf\r\nRansom note PDF\r\nfilename. PDFs are\r\nplaced in various\r\ndirectories.\r\nString\r\n(date)\r\nD:20240831154833-06’00’\r\nPDF creation date\r\nmetadata.\r\nString x64dbg Debugger name.\r\nhttps://securelist.com/new-ymir-ransomware-found-in-colombia/114493/\r\nPage 3 of 18\n\nOne interesting fact is that the PDF creation date was August 31, 2024, which matches the binary compilation\r\ntimestamp (2024-08-31), as shown in the image below.\r\nMalware compilation timestamp\r\nStatic analysis also shows that the PDF used as the ransom note is present in the .data section of the binary. The\r\ninformation hardcoded in this kind of file is very useful for creating detection rules and indicators of compromise.\r\nPDF file containing a ransom note\r\nhttps://securelist.com/new-ymir-ransomware-found-in-colombia/114493/\r\nPage 4 of 18\n\nAfter reaching the main function, the malware executes another function with calls to other functions to get\r\nsystem information. To streamline our analysis, we renamed this function to Get_System_Information:\r\nMalware entry point\r\nThe malware also contains some execution restrictions which are activated when certain parameters are set. For\r\nexample, the --path parameter disables self-delete, allowing the attacker to reuse the binary for other directories.\r\nhttps://securelist.com/new-ymir-ransomware-found-in-colombia/114493/\r\nPage 5 of 18\n\nThe artifact is not deleted when running with the –path parameter\r\nWhile reverse-engineering the sample, we found that it borrowed code from functions related to CryptoPP, an\r\nopen-source cryptographic library written in C++.\r\nCryptoPP functions\r\nThe malware also has a hardcoded list of file name extensions to exclude from encryption.\r\nFile name extensions to ignore\r\nDynamic analysis\r\nWhile running the ransomware, we spotted hundreds of calls to the memmove function. After analyzing the data,\r\nwe found that it loaded small pieces of instructions into memory for performing malicious functions. The\r\nfollowing image shows a fragment of the malware loading environment variables after calling memmove.\r\nEnvironment variables loaded into memory\r\nhttps://securelist.com/new-ymir-ransomware-found-in-colombia/114493/\r\nPage 6 of 18\n\nThe malware constantly uses the memmove function while enumerating subdirectories and files inside the affected\r\nsystem, so they can be encrypted later.\r\nDirectory enumeration\r\nIt also uses memmove to load strings that contain locations in the victim’s filesystem and are used for comparing\r\nwith common directory names during runtime.\r\nStrings loaded via memmove\r\nDuring the malware execution, some additional libraries are loaded, such as CRYPTSP.dll, rsaenh.dll, bcrypt.dll\r\nand kernelbase.dll.\r\nRuntime loading of DLLs\r\nThe artifact uses the stream cipher ChaCha20 algorithm to encrypt files, appending the extension .6C5oy2dVr6 to\r\neach encrypted file.\r\nhttps://securelist.com/new-ymir-ransomware-found-in-colombia/114493/\r\nPage 7 of 18\n\nChaCha20 encryption\r\nAdditionally, it copies the PDF contents from the .data section and uses the _write and _fsopen functions to\r\ngenerate a ransom note in PDF format within every directory in the affected system.\r\nRansom note write operation\r\nThe ransom note informs the victim about what happened to the affected system and instructs them to contact the\r\nattackers for a deal. Although the note mentions that the attackers have stolen the data from the affected machine,\r\nthe malware does not have any network capabilities for data exfiltration. This leads us to believe that the\r\nadversaries would steal data with other means once they obtained access to the computer, such as through HTTP,\r\nFTP or cloud storage uploads.\r\nhttps://securelist.com/new-ymir-ransomware-found-in-colombia/114493/\r\nPage 8 of 18\n\nRansom note fragment\r\nWe spotted one odd string, a comment written in the Lingala language. This language is used in the Democratic\r\nRepublic of the Congo, Republic of the Congo, Angola and the Central African Republic.\r\nComment in Lingala found during malware execution\r\nAnother interesting fact is that the sample searches for PowerShell in each subdirectory. Once PowerShell is\r\nlocated, the malware uses it for deleting itself. In our investigation, we copied powershell.exe into our Desktop\r\nfolder, so it was used for deleting the sample.\r\nPowerShell binary search\r\nThe following diagram shows a summary of the sample’s execution. Note that the only child process created was\r\npowershell.exe — the malware creates a PowerShell instance even if it finds one in the system. Subsequently,\r\nPowerShell calls conhost.exe, which is used for running services in the background.\r\nhttps://securelist.com/new-ymir-ransomware-found-in-colombia/114493/\r\nPage 9 of 18\n\nMalicious processes\r\nProcess tree\r\nThe malware calls PowerShell with the cmdlet Start-Sleep to wait 5 seconds, and finally, uses the Remove-Item\r\ncommand to delete itself from the machine, as shown in the image below.\r\nPowerShell command execution\r\nYARA rule\r\nBased on our analysis of the sample, we developed the following YARA rule for detecting the threat in real time.\r\nThe rule considers the file type, relevant strings and library function imports.\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\nimport \"pe\"\r\nrule Ymir\r\n{\r\n  meta:\r\n  author = \"Kaspersky - GERT\"\r\n  description = \"Yara rule for detecting the Ymir ransomware.\"\r\nhttps://securelist.com/new-ymir-ransomware-found-in-colombia/114493/\r\nPage 10 of 18\n\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\n21\r\n  target_entity = \"file\"\r\n  strings:\r\n$s1 = \"powershell -w h -c Start-Sleep -Seconds 5; Remove-Item -Force -Path\"\r\nwide ascii nocase\r\n$s2 = \"setup-qtox-x86_64-release.exe\" wide ascii nocase\r\n$s3 = \"6C5oy2dVr6\" wide ascii nocase\r\n$s4 = \"INCIDENT_REPORT.pdf\" wide ascii nocase\r\n$s5 = \"D:20240831154833-06\" wide ascii nocase\r\n$s6 = \"ChaCha\" wide ascii nocase\r\n      $s7 = \"x64dbg\" wide ascii nocase\r\n  condition:\r\n    (3 of ($s*)) and pe.imports(\"msvcrt.dll\", \"memmove\")\r\n}\r\nTelemetry\r\nUsing the above rule, we were able to query threat intelligence portals and find a similar sample originating from\r\nPakistan. We believe that the attacker used a VPN network or Tor to hide their IP. The artifact we discovered looks\r\nlike a test binary sent by the attacker to check if it would be detected by security vendors. The sample receives a --\r\npath parameter from the command line, which specifies the directory to be encrypted. However, it neither encrypts\r\nthe files nor generates a ransom note.\r\nhttps://securelist.com/new-ymir-ransomware-found-in-colombia/114493/\r\nPage 11 of 18\n\nExecution of the test sample\r\nWhat caught our attention was that this test version of the executable, similarly to the full-featured sample, did not\r\ndelete itself when executed with the --path parameter, which made sense, since the adversary might want to select\r\ncertain directories during the attack.\r\nBy comparing the two detections, we concluded that the final sample with the fully enabled encryption features,\r\nunlike the test variant, had extended functionality implemented in additional strings. These included the extension\r\nappended to the name of the encrypted files ( .6C5oy2dVr6) and the information present in the PDF file generated\r\nas a ransom note.\r\nYARA matches comparison\r\nAt the time of our research, 12 security vendors including Kaspersky detected the threat.\r\nThe ransomware incident\r\nIn addition to analyzing the malware, we managed to investigate an incident in Colombia where the Ymir sample\r\nwas obtained. Our forensic analysis revealed that crucial evidence had been lost through the attacker’s efforts to\r\ncover their tracks. We at Kaspersky GERT were able to identify that two days before the ransomware deployment,\r\na new RustyStealer threat was detected on multiple systems, allowing the attackers to control the machines, send\r\ncommands, and gather information from compromised infrastructure. Malicious activity was detected on a domain\r\ncontroller shortly after, including compromised access on behalf of legitimate users, including one with high\r\nhttps://securelist.com/new-ymir-ransomware-found-in-colombia/114493/\r\nPage 12 of 18\n\nprivileges. The initial RustyStealer sample was a PE file compiled with Rust and deployed to Windows\\Temp\r\nunder the name AudioDriver2.0.exe.\r\nThis sample, named Trojan.Win32.Sheller.ey by Kaspersky, has the ability of gathering information about the file\r\nsystem. This sample has obfuscated content for obstructing analysis and includes shared modules indicating that\r\nthe artifact can invoke functions from APIs, such as native Windows DLLs.\r\nThis sample also connects to the C2 server 74.50.84[.]181 on port 443, detected by Kaspersky as a host for\r\nmalicious files since August 2024.\r\nC2 server\r\nThe attackers compromised the domain controller and used it to continue infiltrating systems in the targeted\r\ninfrastructure. They abused compromised credentials gathered by the stealer to hop between systems using\r\nWinRM and PowerShell remote control capabilities, and then executed a set of two scripts that were confirmed to\r\nbe a part of the proxy malware threat SystemBC.\r\nBoth scripts use PowerShell to establish a covert channel to the IP address 94.158.244[.]69 on port 443. Based on\r\nthe strings from the scripts we were able to obtain, we implemented Yara rules for identifying other samples and\r\nC2 servers configured with the same codification and spotted in the wild.\r\nOne of these scripts was spotted in multiple systems, collected as a script block for PowerShell that included a\r\ndifferent approach and a different C2 system (5.255.117[.]134 on port 80). It was probably used to exfiltrate\r\ninformation from the infrastructure according to the following hardcoded functions and their instructions.\r\nGetServerByFilename,\r\nSendFile,\r\nSearchRoot.\r\nhttps://securelist.com/new-ymir-ransomware-found-in-colombia/114493/\r\nPage 13 of 18\n\nGetServerByFilename function\r\nThe script establishes communication with the C2 server and sends information, including a specific key that\r\nallows the attacker to identify the affected company.\r\nThe URI includes a unique key for each victim\r\nInformation that will be sent to C2 server\r\nThe SearchRoot function contains a loop that searches for all files that are included in the requested folder and\r\nchecks for a specific filter: the malware only uploads files with a size greater than 40 KB that were created after a\r\nspecified date.\r\nSearch function\r\nhttps://securelist.com/new-ymir-ransomware-found-in-colombia/114493/\r\nPage 14 of 18\n\nFile search procedure\r\nThe script is Base64 encoded and passed to the following command for execution.\r\n$selfpath\\powershell.exe -Version 5.1 -s -NoLogo -NoProfile -EncodedCommand \u003cB64CMD\u003e\r\nAccording to our GERT analysis, at the time of the research, there was a service configured at this IP address\r\n(5.255.117[.]134) for uploading files that were collected with the SystemBC scripts.\r\nActive webservice\r\nAt the same time, multiple creations and executions of the well-known programs Advanced IP Scanner and\r\nProcess Hacker were alerted on several systems.\r\nadvanced_ip_scanner.exe;\r\nhttps://securelist.com/new-ymir-ransomware-found-in-colombia/114493/\r\nPage 15 of 18\n\nprocesshacker-2.39-setup.exe.\r\nFinally, two days after the initial RustyStealer intrusion, attackers deployed the Ymir ransomware by executing\r\nremote connections and uploading the payload. Some traces of the execution were detected, in particular those\r\nassociated with the PowerShell self-destruct script. Also, a part of the ransom note was configured in the registry\r\nkey field legalnoticecaption, located in HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System,\r\nwhich invites the user to look for additional details in the ransom note, named “INCIDENT_REPORT.pdf”:\r\nPart of the ransom note from the registry\r\nConclusion\r\nA link between malware stealer botnets acting as access brokers and the ransomware execution is evident. The\r\nYmir development represents a threat to all types of companies and confirms the existence of emerging groups\r\nthat can impact business and organizations with a configurable, robust and well-developed malware. We have seen\r\ninitial access brokers invade an organization and ensure persistence. Ymir was deployed to the targeted system\r\nshortly after. This new ransomware family was configured in a secure scheme, making it impossible to decrypt the\r\nfiles from the targeted system. The group behind this threat has not presented a dedicated leak site or any\r\nadditional information yet, but we will continue monitoring their activity. Alerts were triggered two days prior to\r\nthe ransomware incident, and the lack of action on the critical system warnings allowed the attackers to launch the\r\nransomware. This highlights the need for improved response strategies beyond relying solely on endpoint\r\nprotection platforms (EPP).\r\nKaspersky products detect this new threat as Trojan-Ransom.Win64.Ymir.gen.\r\nTactics, techniques and procedures\r\nBelow are the Ymir TTPs identified from our malware analysis.\r\nhttps://securelist.com/new-ymir-ransomware-found-in-colombia/114493/\r\nPage 16 of 18\n\nTactic Technique ID\r\nDiscovery File and Directory Discovery T1083\r\nDiscovery System Information Discovery T1082\r\nExecution Command and Scripting Interpreter: PowerShell T1059.001\r\nImpact Data Encrypted for Impact T1486\r\nDefense evasion Virtualization/Sandbox Evasion: Time Based Evasion T1497.003\r\nDefense evasion Indicator Removal: File Deletion T1070.004\r\nRustyStealer TTPs:\r\nTactic Technique ID\r\nDiscovery File and Directory Discovery T1083\r\nDiscovery Process Discovery T1057\r\nExecution Shared Modules T1129\r\nDefense evasion Obfuscated Files or Information T1027\r\nIndicators of Compromise\r\nFile Hashes\r\n3648359ebae8ce7cacae1e631103659f5a8c630e\r\nfe6de75d6042de714c28c0a3c0816b37e0fa4bb3\r\nf954d1b1d13a5e4f62f108c9965707a2aa2a3c89 (INCIDENT_REPORT.pdf)\r\n5ee1befc69d120976a60a97d3254e9eb\r\n5384d704fadf229d08eab696404cbba6\r\n39df773139f505657d11749804953be5\r\n8287d54c83db03b8adcdf1409f5d1c9abb1693ac8d000b5ae75b3a296cb3061c\r\n51ffc0b7358b7611492ef458fdf9b97f121e49e70f86a6b53b93ed923b707a03\r\nb087e1309f3eab6302d7503079af1ad6af06d70a932f7a6ae1421b942048e28a\r\nIPs\r\n74.50.84[.]181:443\r\n94.158.244[.]69:443\r\n5.255.117[.]134:80\r\n85.239.61[.]60\r\nhttps://securelist.com/new-ymir-ransomware-found-in-colombia/114493/\r\nPage 17 of 18\n\nSource: https://securelist.com/new-ymir-ransomware-found-in-colombia/114493/\r\nhttps://securelist.com/new-ymir-ransomware-found-in-colombia/114493/\r\nPage 18 of 18",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://securelist.com/new-ymir-ransomware-found-in-colombia/114493/"
	],
	"report_names": [
		"114493"
	],
	"threat_actors": [],
	"ts_created_at": 1775434437,
	"ts_updated_at": 1775791299,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/16a0deba6f5dec9a13188835469c571852735cd3.pdf",
		"text": "https://archive.orkl.eu/16a0deba6f5dec9a13188835469c571852735cd3.txt",
		"img": "https://archive.orkl.eu/16a0deba6f5dec9a13188835469c571852735cd3.jpg"
	}
}