Change is definitely happening in the threat landscape. The latest Threat Pulse report from NCC Group highlights a new ransomware strain called Ymir, which shows how threat actors are starting to work more closely together.
Ymir made its debut earlier this summer. It first strikes with RustyStealer, an infostealer designed to grab credentials and act as spyware, before deploying its ransomware. One of the more detailed attacks occurred in Colombia, as analyzed by Kaspersky. The attackers moved quickly through the final stage of their operation, making it difficult for defenders to respond.
Ymir brings a new, highly customizable locker that zeroes in on traditional single-extortion tactics. It focuses on encrypting files without stealing data, and notably, its operators don’t have a leak site, which sets it apart from many other strains. A small but intriguing detail in the attack suggests that a core member might hail from the regions where Lingala is spoken, like Angola or the Democratic Republic of the Congo.
There’s debate among experts about whether Ymir operates independently or collaborates with other groups, particularly given its swift use of RustyStealer. Matt Hull, head of threat intelligence at NCC, pointed out that the overlap between different threat groups complicates our understanding of their motives. He highlighted the blurred lines between cybercriminals and state-sponsored actors, especially against the backdrop of geopolitical tensions, which the UK’s NCSC has emphasized in its recent reviews.
Hull remarked that Ymir’s arrival prompts important discussions about the connections between ransomware gangs and other threat actors in an increasingly fluid environment. The past year has seen numerous incidents where these lines have blurred. For instance, the KillSec group transitioned from hacktivism to ransomware operations, and the Ukrainian Cyber Anarchy Squad took responsibility for destructive ransomware attacks against Russian entities.
Meanwhile, hacktivists from the Turk Hack Team targeted the Philippines using the leaked LockBit 3.0 ransomware. An apparent partnership between North Korean hackers, known as Jumpy Pisces APT, and the Play ransomware gang has emerged, where North Korea may have acted as an access broker for cybercriminals.
The report predicts that the rise of ransomware from diverse actors will likely continue into 2025. Ransomware has evolved significantly over the years, and many are now using it as a destructive tool alongside other tactics, such as DDoS attacks. This strategy not only raises funds for further operations but can also serve as a smokescreen for more significant network breaches.
In November alone, ransomware attack volumes increased by 16%, with NCC recording a total of 565 attacks, mainly targeting organizations in Europe and North America. RansomHub was dethroned from the top position with 80 attacks, while Akira replaced it with 87. Other groups like ElDorado and KillSec also remained active. The industrial sector faced the brunt of these attacks, followed by consumer discretionary and IT sectors.
NCC also noted ongoing aggressive activity from the Russian Sandworm group, now recognized as APT44. This group has been involved in high-profile state-sponsored attacks and continues to focus on Ukrainian targets. As winter approaches, Sandworm appears to be increasing its strikes against energy infrastructure in Ukraine.
Hull expressed concern over the constant activity from various cyber threat actors, particularly toward critical national infrastructure. He urges companies to stay vigilant as 2024 comes to a close. As we head into the holiday season, he warns about the typical surge of scam and phishing emails that can affect us all personally.