Ymir Ransomware Pairs With RustyStealer — Stopping the Chain at Execution
Kaspersky found a new, stealthy ransomware that runs from memory and arrives after an infostealer harvests credentials. Two unauthorized programs, one prevention point: don't let either execute.
Date: November 11, 2024 Primary Source: Kaspersky Securelist (Securelist) · BleepingComputer (BleepingComputer)
Executive Summary
- What: Kaspersky identified Ymir, a previously unseen ransomware that executes largely from memory for stealth and was deployed after RustyStealer harvested corporate credentials.
- Who is affected: Corporate networks; the observed case targeted an organization in Colombia, but the technique set is broadly applicable.
- Severity: High — stealthy in-memory execution, flexible targeting, and an infostealer-to-ransomware handoff.
- Action required: Block both the infostealer and the ransomware at execution; pair default-deny with credential hygiene, MFA, and backups.
Overview
In November 2024, Kaspersky's Global Emergency Response Team reported a new ransomware family it named Ymir. (Securelist) What made the case notable was both the malware's stealth and the two-stage nature of the attack: roughly two days before encryption, RustyStealer — an information stealer — was detected across multiple systems, giving the attackers credentials and control needed to stage the ransomware. (BleepingComputer)
Ymir leans on an unusual blend of memory-management functions (malloc, memmove, memcmp) to run malicious code directly in memory, departing from the more typical sequential execution flow and improving stealth. (Securelist) It encrypts with ChaCha20, appends a distinctive extension, and supports a --path option plus a whitelist so operators can control exactly what is or isn't encrypted. (Securelist)
For defenders, the takeaway is that this is two pieces of unauthorized software working together. Deny either one the ability to execute and the chain breaks — which is what White Cloud Security (WCS) Trust Lockdown is designed to do.
Threat Summary
| Field | Detail |
|---|---|
| Malware family | Ymir ransomware (new) |
| Public report | November 2024 (Kaspersky Securelist) |
| Paired malware | RustyStealer (infostealer, for initial credential theft) |
| Notable technique | In-memory execution via malloc/memmove/memcmp |
| Encryption | ChaCha20 stream cipher; custom extension; --path + whitelist control |
| Observed target | Organization in Colombia (technique broadly applicable) |
| Attribution | Open — no leak site/group claim observed |
| Exploited in the wild | Yes |
Technical Analysis
How the Attack Works
Per Kaspersky, the sequence was: (Securelist) (BleepingComputer)
- Credential theft (RustyStealer). The infostealer lands on multiple systems, harvesting corporate credentials and enabling remote control.
- Staging. Using that access, the attackers position the ransomware (about two days later).
- Stealthy execution (Ymir). The ransomware runs code from memory to reduce detection.
- Selective encryption. ChaCha20 encrypts files;
--pathand a whitelist let operators steer what gets encrypted.
Payload and Impact
The infostealer-to-ransomware pattern means data exposure and encryption can compound: credentials and information are taken first, then systems are locked. In-memory execution and selective encryption make the ransomware quieter and more controllable for the operator — and harder for behavior-watching tools to catch in time.
Why Traditional Defenses Struggle
- In-memory execution reduces on-disk artifacts that signatures rely on.
- The infostealer stage looks like commodity malware and may be dismissed before the ransomware arrives.
- A brand-new family has no established signature, and binaries can be rebuilt.
- Selective encryption can avoid tripping mass-file-change heuristics as quickly.
How White Cloud Security Trust Lockdown Stops This
WCS Trust Lockdown enforces a default-deny, Zero-Trust App Firewall: nothing executes unless it has been explicitly Approved by application, publisher/certificate, handprint, and approved parent-child relationship.
| Attack step | How WCS would help |
|---|---|
| RustyStealer execution | The unapproved infostealer would be denied before it can harvest credentials |
| Staging of tooling | Unapproved utilities introduced for staging would be blocked |
| Ymir ransomware launch | The unknown encryptor would be prevented from running — no signature required |
| Rebuilt binary | Handprint identity (SHA-1, SHA-256, SHA-512, MD5, CRC32, file length) means a changed hash would still be denied |
Because the most reliable control point is the launch of an unauthorized executable, blocking RustyStealer or Ymir at execution would help break the chain before encryption — and would give administrators visibility into blocked applications. Note on scope: in-memory techniques are most relevant after an unauthorized process is already running; WCS's value is denying that initial unauthorized executable in the first place. WCS does not replace credential hygiene, MFA, EDR, or backups — it complements them.
At White Cloud Security, we continue to track and report new hacking methods and tools — not just because of its immediate threat, but because patterns of reuse often expose the playbooks of these cybercriminal groups.
Recommended Mitigations
- Deploy default-deny application control to block infostealers and ransomware at execution.
- Treat infostealer detections as urgent — assume credential theft and rotate credentials.
- Enforce MFA and strong credential hygiene to blunt the RustyStealer handoff.
- Maintain tested, offline/immutable backups.
- Monitor for unusual process behavior and unauthorized remote control.
Key Takeaways
- An infostealer is often the opening act — respond before the ransomware arrives.
- In-memory stealth targets detection, which is why prevention-at-execution matters.
- Handprint identity denies rebuilt encryptors that defeat signatures.
- Prevention complements MFA, EDR, credential hygiene, and backups.
References
- Kaspersky Securelist — New Ymir ransomware found in Colombia (used with RustyStealer) (Securelist)
- BleepingComputer — New Ymir ransomware partners with RustyStealer in attacks (BleepingComputer)
- The Hacker News — New Ymir Ransomware Exploits Memory for Stealthy Attacks (THN)