| Category | Details |
|---|---|
| Threat Actors | Unknown, but associated with access brokers and ransomware groups. |
| Campaign Overview | Ymir ransomware deployed via PowerShell commands after initial access via RustyStealer. |
| Target Regions (Or Victims) | Organizations worldwide, specific incident in Colombia. |
| Methodology | Initial access via RustyStealer, followed by Ymir ransomware deployment using PowerShell. |
| Product Targeted | Windows systems, specifically targeting files and encrypting them. |
| Malware Reference | Ymir ransomware, Trojan-Ransom.Win64.Ymir.gen. |
| Tools Used | PowerShell, Process Hacker, Advanced IP Scanner, qTox client (for C2 communication). |
| Vulnerabilities Exploited | Compromised credentials, PowerShell remote control. |
| TTPs | - Initial access with stealer malware - Persistence via PowerShell - File encryption with ChaCha20 algorithm |
| Attribution | Not attributed to a specific group yet, suspected VPN/Tor usage. |
| Recommendations | - Improve monitoring and response strategies - Enhance detection and response beyond EPP. |
| Source | Securelist by Kaspersky |
Read full article: Read More
Disclaimer: The above summary has been generated by an AI language model.
Leave a Reply