securelist.com
Open in
urlscan Pro
158.160.164.142
Public Scan
Submitted URL: https://kas.pr/d1zq
Effective URL: https://securelist.com/new-ymir-ransomware-found-in-colombia/114493/?reseller=gl_regular-sm_acq_ona_smm__onl_b2b_everyo...
Submission: On November 12 via api from IN — Scanned from US
Effective URL: https://securelist.com/new-ymir-ransomware-found-in-colombia/114493/?reseller=gl_regular-sm_acq_ona_smm__onl_b2b_everyo...
Submission: On November 12 via api from IN — Scanned from US
Form analysis 12 forms found in the DOM
<form>
<fieldset>
<legend class="visuallyhidden">Consent Selection</legend>
<div id="CybotCookiebotDialogBodyFieldsetInnerContainer">
<div class="CybotCookiebotDialogBodyLevelButtonWrapper"><label class="CybotCookiebotDialogBodyLevelButtonLabel" for="CybotCookiebotDialogBodyLevelButtonNecessary"><strong
class="CybotCookiebotDialogBodyLevelButtonDescription">Necessary</strong></label>
<div class="CybotCookiebotDialogBodyLevelButtonSliderWrapper CybotCookiebotDialogBodyLevelButtonSliderWrapperDisabled"><input type="checkbox" id="CybotCookiebotDialogBodyLevelButtonNecessary"
class="CybotCookiebotDialogBodyLevelButton CybotCookiebotDialogBodyLevelButtonDisabled" disabled="disabled" checked="checked"> <span class="CybotCookiebotDialogBodyLevelButtonSlider"></span></div>
</div>
<div class="CybotCookiebotDialogBodyLevelButtonWrapper"><label class="CybotCookiebotDialogBodyLevelButtonLabel" for="CybotCookiebotDialogBodyLevelButtonPreferences"><strong
class="CybotCookiebotDialogBodyLevelButtonDescription">Preferences</strong></label>
<div class="CybotCookiebotDialogBodyLevelButtonSliderWrapper"><input type="checkbox" id="CybotCookiebotDialogBodyLevelButtonPreferences" class="CybotCookiebotDialogBodyLevelButton CybotCookiebotDialogBodyLevelConsentCheckbox"
data-target="CybotCookiebotDialogBodyLevelButtonPreferencesInline" checked="checked" tabindex="0"> <span class="CybotCookiebotDialogBodyLevelButtonSlider"></span></div>
</div>
<div class="CybotCookiebotDialogBodyLevelButtonWrapper"><label class="CybotCookiebotDialogBodyLevelButtonLabel" for="CybotCookiebotDialogBodyLevelButtonStatistics"><strong
class="CybotCookiebotDialogBodyLevelButtonDescription">Statistics</strong></label>
<div class="CybotCookiebotDialogBodyLevelButtonSliderWrapper"><input type="checkbox" id="CybotCookiebotDialogBodyLevelButtonStatistics" class="CybotCookiebotDialogBodyLevelButton CybotCookiebotDialogBodyLevelConsentCheckbox"
data-target="CybotCookiebotDialogBodyLevelButtonStatisticsInline" checked="checked" tabindex="0"> <span class="CybotCookiebotDialogBodyLevelButtonSlider"></span></div>
</div>
<div class="CybotCookiebotDialogBodyLevelButtonWrapper"><label class="CybotCookiebotDialogBodyLevelButtonLabel" for="CybotCookiebotDialogBodyLevelButtonMarketing"><strong
class="CybotCookiebotDialogBodyLevelButtonDescription">Marketing</strong></label>
<div class="CybotCookiebotDialogBodyLevelButtonSliderWrapper"><input type="checkbox" id="CybotCookiebotDialogBodyLevelButtonMarketing" class="CybotCookiebotDialogBodyLevelButton CybotCookiebotDialogBodyLevelConsentCheckbox"
data-target="CybotCookiebotDialogBodyLevelButtonMarketingInline" checked="checked" tabindex="0"> <span class="CybotCookiebotDialogBodyLevelButtonSlider"></span></div>
</div>
</div>
</fieldset>
</form><form><input type="checkbox" id="CybotCookiebotDialogBodyLevelButtonNecessaryInline" class="CybotCookiebotDialogBodyLevelButton CybotCookiebotDialogBodyLevelButtonDisabled" disabled="disabled" checked="checked"> <span
class="CybotCookiebotDialogBodyLevelButtonSlider"></span></form><form><input type="checkbox" id="CybotCookiebotDialogBodyLevelButtonPreferencesInline" class="CybotCookiebotDialogBodyLevelButton CybotCookiebotDialogBodyLevelConsentCheckbox" data-target="CybotCookiebotDialogBodyLevelButtonPreferences"
checked="checked" tabindex="0"> <span class="CybotCookiebotDialogBodyLevelButtonSlider"></span></form><form><input type="checkbox" id="CybotCookiebotDialogBodyLevelButtonStatisticsInline" class="CybotCookiebotDialogBodyLevelButton CybotCookiebotDialogBodyLevelConsentCheckbox" data-target="CybotCookiebotDialogBodyLevelButtonStatistics"
checked="checked" tabindex="0"> <span class="CybotCookiebotDialogBodyLevelButtonSlider"></span></form><form><input type="checkbox" id="CybotCookiebotDialogBodyLevelButtonMarketingInline" class="CybotCookiebotDialogBodyLevelButton CybotCookiebotDialogBodyLevelConsentCheckbox" data-target="CybotCookiebotDialogBodyLevelButtonMarketing" checked="checked"
tabindex="0"> <span class="CybotCookiebotDialogBodyLevelButtonSlider"></span></form><form class="CybotCookiebotDialogBodyLevelButtonSliderWrapper"><input type="checkbox" id="CybotCookiebotDialogBodyContentCheckboxPersonalInformation" class="CybotCookiebotDialogBodyLevelButton"> <span
class="CybotCookiebotDialogBodyLevelButtonSlider"></span></form>GET https://securelist.com/
<form class="c-page-search__form c-page-search__form--small js-wizardinfosys_autosearch_form" full_search_url="https://securelist.com/?s=%q%" action="https://securelist.com/" method="get">
<div class="c-form-element c-form-element--style-fill">
<div class="c-form-element__field wp_autosearch_form_wrapper">
<input name="s" class="c-form-element__text wp_autosearch_input ac_input" data-webinars="" type="text" value="" placeholder="Search..." autocomplete="off">
</div>
</div>
<button class="c-button c-button--icon wp_autosearch_submit"><svg class="o-icon o-svg-icon o-svg-large">
<use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://securelist.com/wp-content/themes/securelist2020/assets/sprite/icons.svg#icon-search"></use>
</svg></button>
</form>GET https://securelist.com/
<form class="c-page-search__form js-main-search-popup js-wizardinfosys_autosearch_form" full_search_url="https://securelist.com/?s=%q%" action="https://securelist.com/" method="get">
<div class="c-form-element c-form-element--style-fill">
<div class="c-form-element__field wp_autosearch_form_wrapper">
<input name="s" class="c-form-element__text wp_autosearch_input ac_input" data-webinars="" type="text" value="" placeholder="Search..." autocomplete="off">
</div>
</div>
<button class="c-button c-button--icon wp_autosearch_submit"><svg class="o-icon o-svg-icon o-svg-large">
<use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://securelist.com/wp-content/themes/securelist2020/assets/sprite/icons.svg#icon-search"></use>
</svg></button>
</form>POST https://securelist.com/wp-comments-post.php
<form action="https://securelist.com/wp-comments-post.php" method="post" id="loginform" class="comment-form">
<p class="comment-notes"><span id="email-notes">Your email address will not be published.</span> <span class="required-field-message">Required fields are marked <span class="required">*</span></span></p>
<div class="comment-form-comment"><textarea id="comment" name="comment" style="width:100%" rows="8" aria-required="true" placeholder="Type your comment here"></textarea></div><!-- .comment-form-comment -->
<p class="comment-form-author"><label for="author">Name <span class="required">*</span></label> <input id="author" name="author" type="text" value="" size="30" maxlength="245" autocomplete="name" required="required"></p>
<p class="comment-form-email"><label for="email">Email <span class="required">*</span></label> <input id="email" name="email" type="text" value="" size="30" maxlength="100" aria-describedby="email-notes" autocomplete="email" required="required">
</p>
<script type="text/javascript">
document.addEventListener("input", function(event) {
if (!event.target.closest("#comment")) return;
try {
grecaptcha.render("recaptcha-submit-btn-area", {
"sitekey": "6LfQdrAaAAAAAEb_rTrwlbyc8z0Fa9CMjELY_2Ts",
"theme": "standard"
});
} catch (error) {
/*possible duplicated instances*/ }
});
</script>
<script src="https://www.google.com/recaptcha/api.js?hl=en&render=explicit" async="" defer=""></script>
<div id="recaptcha-submit-btn-area"> </div>
<noscript>
<style type="text/css">
#form-submit-save {
display: none;
}
</style>
<input name="submit" type="submit" id="submit-alt" tabindex="6" value="Submit Comment">
</noscript>
<p class="form-submit"><input name="submit" type="submit" id="commentsubmit" class="submit"
value="Comment"><a rel="nofollow" id="cancel-comment-reply-link" href="/new-ymir-ransomware-found-in-colombia/114493/?reseller=gl_regular-sm_acq_ona_smm__onl_b2b_everyone-s_lnk_sm-team_______4a79e21c7896b9c2&kaspr=d1zq#respond" style="display:none;">Cancel</a>
<input type="hidden" name="comment_post_ID" value="114493" id="comment_post_ID">
<input type="hidden" name="comment_parent" id="comment_parent" value="0">
</p>
<p style="display: none;"><input type="hidden" id="akismet_comment_nonce" name="akismet_comment_nonce" value="c83de9594e"></p>
<p style="display: none !important;" class="akismet-fields-container" data-prefix="ak_"><label>Δ<textarea name="ak_hp_textarea" cols="45" rows="8" maxlength="100"></textarea></label><input type="hidden" id="ak_js_1" name="ak_js"
value="1731396218183">
<script>
document.getElementById("ak_js_1").setAttribute("value", (new Date()).getTime());
</script>
</p>
</form>POST /new-ymir-ransomware-found-in-colombia/114493/?reseller=gl_regular-sm_acq_ona_smm__onl_b2b_everyone-s_lnk_sm-team_______4a79e21c7896b9c2&kaspr=d1zq#gf_4056919963
<form method="post" enctype="multipart/form-data" target="gform_ajax_frame_4056919963" id="gform_4056919963" class="subscribe-mc"
action="/new-ymir-ransomware-found-in-colombia/114493/?reseller=gl_regular-sm_acq_ona_smm__onl_b2b_everyone-s_lnk_sm-team_______4a79e21c7896b9c2&kaspr=d1zq#gf_4056919963">
<div class="gform-content-wrapper">
<div class="gform_body gform-body">
<div id="gform_fields_4056919963" class="gform_fields top_label form_sublabel_below description_below">
<div id="field_11_1" class="gfield gfield_contains_required field_sublabel_below field_description_below gfield_visibility_visible">
<div class="ginput_container ginput_container_email">
<div class="fl-wrap fl-wrap-input"><label class="gfield_label screen-reader-text fl-label" for="input_4056919963_1">Email(Required)</label><input name="input_1" id="input_4056919963_1" type="text" value="" class="medium fl-input"
placeholder="Email(Required)" aria-required="true" aria-invalid="false" data-placeholder="Email"></div>
</div>
</div>
<div id="field_11_3" class="gfield js-kaspersky-gform-recaptcha-placeholder gform_hidden field_sublabel_below field_description_below gfield_visibility_hidden">
<div class="ginput_container ginput_container_text"><input name="input_3" id="input_4056919963_3" type="hidden" class="gform_hidden" aria-invalid="false" value=""></div>
</div>
<fieldset id="field_11_2" class="gfield input-without-label label-gdpr gfield_contains_required field_sublabel_below field_description_below gfield_visibility_visible">
<legend class="gfield_label screen-reader-text gfield_label_before_complex"><span class="gfield_required"><span class="gfield_required gfield_required_text">(Required)</span></span></legend>
<div class="ginput_container ginput_container_checkbox">
<div class="gfield_checkbox" id="input_4056919963_2">
<div class="gchoice gchoice_11_2_1">
<input class="gfield-choice-input" name="input_2.1" type="checkbox" value="I agree" id="choice_4056919963_11_2_1">
<label for="choice_4056919963_11_2_1" id="label_4056919963_11_2_1">I agree to provide my email address to “AO Kaspersky Lab” to receive information about new posts on the site. I understand that I can withdraw this consent at any time
via e-mail by clicking the “unsubscribe” link that I find at the bottom of any e-mail sent to me for the purposes mentioned above.</label>
</div>
</div>
</div>
</fieldset>
</div>
</div>
<div class="gform_footer top_label"> <button type="submit" class="gform_button button" id="gform_submit_button_4056919963" value="Sign up">
<svg class="o-icon o-svg-icon o-svg-large">
<use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://securelist.com/wp-content/themes/securelist2020/assets/sprite/icons.svg#icon-envelope"></use>
</svg> <span>Subscribe</span>
</button>
<input type="hidden" name="gform_ajax" value="form_id=11&title=&description=&tabindex=0">
<input type="hidden" class="gform_hidden" name="is_submit_11" value="1">
<input type="hidden" class="gform_hidden" name="gform_submit" value="11">
<input type="hidden" class="gform_hidden" name="gform_unique_id" value="">
<input type="hidden" class="gform_hidden" name="state_11" value="WyJbXSIsImIwODQwZTA2ZGQ0NzYwODcyOTBkZjNmZDM1NDk2Y2ZkIl0=">
<input type="hidden" class="gform_hidden" name="gform_target_page_number_11" id="gform_target_page_number_4056919963_11" value="0">
<input type="hidden" class="gform_hidden" name="gform_source_page_number_11" id="gform_source_page_number_4056919963_11" value="1">
<input type="hidden" name="gform_random_id" value="4056919963"><input type="hidden" name="gform_field_values" value="securelist_2020_form_location=sidebar">
</div>
</div>
<p style="display: none !important;" class="akismet-fields-container" data-prefix="ak_"><label>Δ<textarea name="ak_hp_textarea" cols="45" rows="8" maxlength="100"></textarea></label><input type="hidden" id="ak_js_2" name="ak_js"
value="1731396218186">
<script>
document.getElementById("ak_js_2").setAttribute("value", (new Date()).getTime());
</script>
</p>
</form>POST /new-ymir-ransomware-found-in-colombia/114493/?reseller=gl_regular-sm_acq_ona_smm__onl_b2b_everyone-s_lnk_sm-team_______4a79e21c7896b9c2&kaspr=d1zq#gf_622861779
<form method="post" enctype="multipart/form-data" target="gform_ajax_frame_622861779" id="gform_622861779" class="subscribe-mc"
action="/new-ymir-ransomware-found-in-colombia/114493/?reseller=gl_regular-sm_acq_ona_smm__onl_b2b_everyone-s_lnk_sm-team_______4a79e21c7896b9c2&kaspr=d1zq#gf_622861779">
<div class="gform-content-wrapper">
<div class="gform_body gform-body">
<div id="gform_fields_622861779" class="gform_fields top_label form_sublabel_below description_below">
<div id="field_11_1" class="gfield gfield_contains_required field_sublabel_below field_description_below gfield_visibility_visible"><label class="gfield_label screen-reader-text" for="input_622861779_1">Email<span
class="gfield_required"><span class="gfield_required gfield_required_text">(Required)</span></span></label>
<div class="ginput_container ginput_container_email">
<input name="input_1" id="input_622861779_1" type="text" value="" class="medium" placeholder="Email" aria-required="true" aria-invalid="false">
</div>
</div>
<div id="field_11_3" class="gfield js-kaspersky-gform-recaptcha-placeholder gform_hidden field_sublabel_below field_description_below gfield_visibility_hidden">
<div class="ginput_container ginput_container_text"><input name="input_3" id="input_622861779_3" type="hidden" class="gform_hidden" aria-invalid="false" value=""></div>
</div>
<fieldset id="field_11_2" class="gfield input-without-label label-gdpr gfield_contains_required field_sublabel_below field_description_below gfield_visibility_visible">
<legend class="gfield_label screen-reader-text gfield_label_before_complex"><span class="gfield_required"><span class="gfield_required gfield_required_text">(Required)</span></span></legend>
<div class="ginput_container ginput_container_checkbox">
<div class="gfield_checkbox" id="input_622861779_2">
<div class="gchoice gchoice_11_2_1">
<input class="gfield-choice-input" name="input_2.1" type="checkbox" value="I agree" id="choice_622861779_11_2_1">
<label for="choice_622861779_11_2_1" id="label_622861779_11_2_1">I agree to provide my email address to “AO Kaspersky Lab” to receive information about new posts on the site. I understand that I can withdraw this consent at any time
via e-mail by clicking the “unsubscribe” link that I find at the bottom of any e-mail sent to me for the purposes mentioned above.</label>
</div>
</div>
</div>
</fieldset>
</div>
</div>
<div class="gform_footer top_label"> <button class="gform_button button" type="submit" id="gform_submit_button_622861779" value="Sign up">
<svg class="o-icon o-svg-icon o-svg-large u-hidden u-inline-block@sm">
<use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://securelist.com/wp-content/themes/securelist2020/assets/sprite/icons.svg#icon-envelope"></use>
</svg> <span class="u-hidden u-inline@sm">Subscribe</span>
<span class="u-hidden@sm"><svg class="o-icon o-svg-icon o-svg-right">
<use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://securelist.com/wp-content/themes/securelist2020/assets/sprite/icons.svg#icon-arrow"></use>
</svg></span>
</button>
<input type="hidden" name="gform_ajax" value="form_id=11&title=&description=&tabindex=0">
<input type="hidden" class="gform_hidden" name="is_submit_11" value="1">
<input type="hidden" class="gform_hidden" name="gform_submit" value="11">
<input type="hidden" class="gform_hidden" name="gform_unique_id" value="">
<input type="hidden" class="gform_hidden" name="state_11" value="WyJbXSIsImIwODQwZTA2ZGQ0NzYwODcyOTBkZjNmZDM1NDk2Y2ZkIl0=">
<input type="hidden" class="gform_hidden" name="gform_target_page_number_11" id="gform_target_page_number_622861779_11" value="0">
<input type="hidden" class="gform_hidden" name="gform_source_page_number_11" id="gform_source_page_number_622861779_11" value="1">
<input type="hidden" name="gform_random_id" value="622861779"><input type="hidden" name="gform_field_values" value="securelist_2020_form_location=">
</div>
</div>
<p style="display: none !important;" class="akismet-fields-container" data-prefix="ak_"><label>Δ<textarea name="ak_hp_textarea" cols="45" rows="8" maxlength="100"></textarea></label><input type="hidden" id="ak_js_3" name="ak_js"
value="1731396218270">
<script>
document.getElementById("ak_js_3").setAttribute("value", (new Date()).getTime());
</script>
</p>
</form>POST /new-ymir-ransomware-found-in-colombia/114493/?reseller=gl_regular-sm_acq_ona_smm__onl_b2b_everyone-s_lnk_sm-team_______4a79e21c7896b9c2&kaspr=d1zq#gf_3068862437
<form method="post" enctype="multipart/form-data" target="gform_ajax_frame_3068862437" id="gform_3068862437" class="subscribe-mc"
action="/new-ymir-ransomware-found-in-colombia/114493/?reseller=gl_regular-sm_acq_ona_smm__onl_b2b_everyone-s_lnk_sm-team_______4a79e21c7896b9c2&kaspr=d1zq#gf_3068862437">
<div class="gform-content-wrapper">
<div class="gform_body gform-body">
<div id="gform_fields_3068862437" class="gform_fields top_label form_sublabel_below description_below">
<div id="field_11_1" class="gfield gfield_contains_required field_sublabel_below field_description_below gfield_visibility_visible">
<div class="ginput_container ginput_container_email">
<div class="fl-wrap fl-wrap-input"><label class="gfield_label screen-reader-text fl-label" for="input_3068862437_1">Email(Required)</label><input name="input_1" id="input_3068862437_1" type="text" value="" class="medium fl-input"
placeholder="Email(Required)" aria-required="true" aria-invalid="false" data-placeholder="Email"></div>
</div>
</div>
<div id="field_11_3" class="gfield js-kaspersky-gform-recaptcha-placeholder gform_hidden field_sublabel_below field_description_below gfield_visibility_hidden">
<div class="ginput_container ginput_container_text"><input name="input_3" id="input_3068862437_3" type="hidden" class="gform_hidden" aria-invalid="false" value=""></div>
</div>
<fieldset id="field_11_2" class="gfield input-without-label label-gdpr gfield_contains_required field_sublabel_below field_description_below gfield_visibility_visible">
<legend class="gfield_label screen-reader-text gfield_label_before_complex"><span class="gfield_required"><span class="gfield_required gfield_required_text">(Required)</span></span></legend>
<div class="ginput_container ginput_container_checkbox">
<div class="gfield_checkbox" id="input_3068862437_2">
<div class="gchoice gchoice_11_2_1">
<input class="gfield-choice-input" name="input_2.1" type="checkbox" value="I agree" id="choice_3068862437_11_2_1">
<label for="choice_3068862437_11_2_1" id="label_3068862437_11_2_1">I agree to provide my email address to “AO Kaspersky Lab” to receive information about new posts on the site. I understand that I can withdraw this consent at any time
via e-mail by clicking the “unsubscribe” link that I find at the bottom of any e-mail sent to me for the purposes mentioned above.</label>
</div>
</div>
</div>
</fieldset>
</div>
</div>
<div class="gform_footer top_label"> <button type="submit" class="gform_button button" id="gform_submit_button_3068862437" value="Sign up">
<svg class="o-icon o-svg-icon o-svg-large">
<use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://securelist.com/wp-content/themes/securelist2020/assets/sprite/icons.svg#icon-envelope"></use>
</svg> <span>Subscribe</span>
</button>
<input type="hidden" name="gform_ajax" value="form_id=11&title=&description=&tabindex=0">
<input type="hidden" class="gform_hidden" name="is_submit_11" value="1">
<input type="hidden" class="gform_hidden" name="gform_submit" value="11">
<input type="hidden" class="gform_hidden" name="gform_unique_id" value="">
<input type="hidden" class="gform_hidden" name="state_11" value="WyJbXSIsImIwODQwZTA2ZGQ0NzYwODcyOTBkZjNmZDM1NDk2Y2ZkIl0=">
<input type="hidden" class="gform_hidden" name="gform_target_page_number_11" id="gform_target_page_number_3068862437_11" value="0">
<input type="hidden" class="gform_hidden" name="gform_source_page_number_11" id="gform_source_page_number_3068862437_11" value="1">
<input type="hidden" name="gform_random_id" value="3068862437"><input type="hidden" name="gform_field_values" value="securelist_2020_form_location=sidebar">
</div>
</div>
<p style="display: none !important;" class="akismet-fields-container" data-prefix="ak_"><label>Δ<textarea name="ak_hp_textarea" cols="45" rows="8" maxlength="100"></textarea></label><input type="hidden" id="ak_js_4" name="ak_js"
value="1731396218313">
<script>
document.getElementById("ak_js_4").setAttribute("value", (new Date()).getTime());
</script>
</p>
</form>Text Content
* Consent
* Details
* [#IABV2SETTINGS#]
* About
THIS WEBSITE USES COOKIES
We use cookies to personalise content and ads, to provide social media features
and to analyse our traffic. We also share information about your use of our site
with our social media, advertising and analytics partners who may combine it
with other information that you’ve provided to them or that they’ve collected
from your use of their services.
Consent Selection
Necessary
Preferences
Statistics
Marketing
Show details
* Necessary 22
Necessary cookies help make a website usable by enabling basic functions like
page navigation and access to secure areas of the website. The website cannot
function properly without these cookies.
* Adobe Inc.
1
Learn more about this provider
demdexVia a unique ID that is used for semantic content analysis, the
user's navigation on the website is registered and linked to offline data
from surveys and similar registrations to display targeted ads.
Maximum Storage Duration: 180 daysType: HTTP Cookie
* Cookiebot
2
Learn more about this provider
CookieConsent [x2]Stores the user's cookie consent state for the current
domain
Maximum Storage Duration: 1 yearType: HTTP Cookie
* Google
8
Learn more about this provider
Some of the data collected by this provider is for the purposes of
personalization and measuring advertising effectiveness.
ar_debug [x2]Checks whether a technical debugger-cookie is present.
Maximum Storage Duration: 30 daysType: HTTP Cookie
test_cookieUsed to check if the user's browser supports cookies.
Maximum Storage Duration: 1 dayType: HTTP Cookie
_GRECAPTCHAPending
Maximum Storage Duration: 180 daysType: HTTP Cookie
rc::aThis cookie is used to distinguish between humans and bots. This is
beneficial for the website, in order to make valid reports on the use of
their website.
Maximum Storage Duration: PersistentType: HTML Local Storage
rc::bThis cookie is used to distinguish between humans and bots.
Maximum Storage Duration: SessionType: HTML Local Storage
rc::cThis cookie is used to distinguish between humans and bots.
Maximum Storage Duration: SessionType: HTML Local Storage
rc::fThis cookie is used to distinguish between humans and bots.
Maximum Storage Duration: PersistentType: HTML Local Storage
* Kaspersky Lab
6
Learn more about this provider
AMCV_# [x2]Unique user ID that recognizes the user on returning visits
Maximum Storage Duration: 2 yearsType: HTTP Cookie
AMCVS_#AdobeOrg [x2]Pending
Maximum Storage Duration: SessionType: HTTP Cookie
test [x2]Used to detect if the visitor has accepted the marketing category
in the cookie banner. This cookie is necessary for GDPR-compliance of the
website.
Maximum Storage Duration: SessionType: HTTP Cookie
* Yandex
2
Learn more about this provider
sync_cookie_csrf [x2]Used in connection with the synchronisation between
the website and third-party Data Management Platform. The cookie serves to
monitor this process for security reasons.
Maximum Storage Duration: 1 dayType: HTTP Cookie
* s.go-mpulse.net
1
RTThis cookie is used to identify the visitor through an application. This
allows the visitor to login to a website through their LinkedIn
application for example.
Maximum Storage Duration: 7 daysType: HTTP Cookie
* yandex.com
yandex.ru
2
i [x2]Preserves users states across page requests.
Maximum Storage Duration: 400 daysType: HTTP Cookie
* Preferences 0
Preference cookies enable a website to remember information that changes the
way the website behaves or looks, like your preferred language or the region
that you are in.
We do not use cookies of this type.
* Statistics 16
Statistic cookies help website owners to understand how visitors interact
with websites by collecting and reporting information anonymously.
* Google
8
Learn more about this provider
Some of the data collected by this provider is for the purposes of
personalization and measuring advertising effectiveness.
_ga [x4]Registers a unique ID that is used to generate statistical data on
how the visitor uses the website.
Maximum Storage Duration: 2 yearsType: HTTP Cookie
_gid [x2]Registers a unique ID that is used to generate statistical data
on how the visitor uses the website.
Maximum Storage Duration: 1 dayType: HTTP Cookie
_ga_# [x2]Used by Google Analytics to collect data on the number of times
a user has visited the website as well as dates for the first and most
recent visit.
Maximum Storage Duration: 2 yearsType: HTTP Cookie
* Kaspersky Lab
3
Learn more about this provider
b/ss/#/1/#/s#Registers data on visitors' website-behaviour. This is used
for internal analysis and website optimization.
Maximum Storage Duration: SessionType: Pixel Tracker
s_cc [x2]Used to check if the user's browser supports cookies.
Maximum Storage Duration: SessionType: HTTP Cookie
* Linkedin
1
Learn more about this provider
browser_idUsed to recognise the visitor's browser upon reentry on the
website.
Maximum Storage Duration: 5 yearsType: HTTP Cookie
* Yandex
2
Learn more about this provider
_ym_retryReqsRegisters statistical data on users' behaviour on the
website. Used for internal analytics by the website operator.
Maximum Storage Duration: PersistentType: HTML Local Storage
_ym3:0_reqNumRegisters statistical data on users' behaviour on the
website. Used for internal analytics by the website operator.
Maximum Storage Duration: PersistentType: HTML Local Storage
* yandex.com
yandex.ru
2
yandexuid [x2]Registers data on visitors' website-behaviour. This is used
for internal analysis and website optimization.
Maximum Storage Duration: 400 daysType: HTTP Cookie
* Marketing 74
Marketing cookies are used to track visitors across websites. The intention
is to display ads that are relevant and engaging for the individual user and
thereby more valuable for publishers and third party advertisers.
* Meta Platforms, Inc.
5
Learn more about this provider
fbssls_#Collects data on the visitor’s use of the comment system on the
website, and what blogs/articles the visitor has read. This can be used
for marketing purposes.
Maximum Storage Duration: SessionType: HTML Local Storage
lastExternalReferrerDetects how the user reached the website by
registering their last URL-address.
Maximum Storage Duration: PersistentType: HTML Local Storage
lastExternalReferrerTimeDetects how the user reached the website by
registering their last URL-address.
Maximum Storage Duration: PersistentType: HTML Local Storage
_fbp [x2]Used by Facebook to deliver a series of advertisement products
such as real time bidding from third party advertisers.
Maximum Storage Duration: 3 monthsType: HTTP Cookie
* Adobe Inc.
1
Learn more about this provider
_dpThis cookie is set by the audience manager of a website in order to
determine if any additional third-party cookies can be set in the
visitor’s browser – third-party cookies are used to gather information or
track visitor behavior on multiple websites. Third-party cookies are set
by a third-party website or company.
Maximum Storage Duration: SessionType: HTTP Cookie
* Bitrix24
2
Learn more about this provider
b24_crm_guest_pagesSets a unique ID for the specific user. This allows the
website to target the user with relevant offers through its chat
functionality.
Maximum Storage Duration: PersistentType: HTML Local Storage
b24_crm_guest_utmSets a unique ID for the specific user. This allows the
website to target the user with relevant offers through its chat
functionality.
Maximum Storage Duration: PersistentType: HTML Local Storage
* BrightTalk
2
Learn more about this provider
_boomr_akamaiXhrRetryCollects information on user preferences and/or
interaction with web-campaign content - This is used on
CRM-campaign-platform used by website owners for promoting events or
products.
Maximum Storage Duration: PersistentType: HTML Local Storage
ga_clientIdUsed to send data to Google Analytics about the visitor's
device and behavior. Tracks the visitor across devices and marketing
channels.
Maximum Storage Duration: PersistentType: HTML Local Storage
* Google
10
Learn more about this provider
Some of the data collected by this provider is for the purposes of
personalization and measuring advertising effectiveness.
activity;register_conversion=#;#=#Pending
Maximum Storage Duration: SessionType: Pixel Tracker
IDEUsed by Google DoubleClick to register and report the website user's
actions after viewing or clicking one of the advertiser's ads with the
purpose of measuring the efficacy of an ad and to present targeted ads to
the user.
Maximum Storage Duration: 400 daysType: HTTP Cookie
receive-cookie-deprecationCollects information on user behaviour on
multiple websites. This information is used in order to optimize the
relevance of advertisement on the website.
Maximum Storage Duration: 180 daysType: HTTP Cookie
NIDRegisters a unique ID that identifies a returning user's device. The ID
is used for targeted ads.
Maximum Storage Duration: 6 monthsType: HTTP Cookie
pagead/1p-conversion/#/Pending
Maximum Storage Duration: SessionType: Pixel Tracker
_gcl_au [x2]Used by Google AdSense for experimenting with advertisement
efficiency across websites using their services.
Maximum Storage Duration: 3 monthsType: HTTP Cookie
AwinChannelCookie [x2]Pending
Maximum Storage Duration: SessionType: HTTP Cookie
ServiceWorkerLogsDatabase#SWHealthLogNecessary for the implementation and
functionality of YouTube video-content on the website.
Maximum Storage Duration: PersistentType: IndexedDB
* Kaspersky Lab
5
Learn more about this provider
#-#Used to track user’s interaction with embedded content.
Maximum Storage Duration: SessionType: HTML Local Storage
iU5q-!O9@$Registers a unique ID to keep statistics of what videos from
YouTube the user has seen.
Maximum Storage Duration: SessionType: HTML Local Storage
LogsDatabaseV2:V#||LogsRequestsStoreUsed to track user’s interaction with
embedded content.
Maximum Storage Duration: PersistentType: IndexedDB
yt.innertube::nextIdRegisters a unique ID to keep statistics of what
videos from YouTube the user has seen.
Maximum Storage Duration: PersistentType: HTML Local Storage
YtIdbMeta#databasesUsed to track user’s interaction with embedded content.
Maximum Storage Duration: PersistentType: IndexedDB
* Marketo
3
Learn more about this provider
__cf_bmThis cookie is used to distinguish between humans and bots. This is
beneficial for the website, in order to make valid reports on the use of
their website.
Maximum Storage Duration: 1 dayType: HTTP Cookie
BIGipServer#Used to distribute traffic to the website on several servers
in order to optimise response times.
Maximum Storage Duration: SessionType: HTTP Cookie
_mkto_trkContains data on visitor behaviour and website interaction. This
is used in context with the email marketing service Marketo.com, which
allows the website to target visitors via email.
Maximum Storage Duration: 2 yearsType: HTTP Cookie
* Twitter Inc.
2
Learn more about this provider
i/jot/embedsSets a unique ID for the visitor, that allows third party
advertisers to target the visitor with relevant advertisement. This
pairing service is provided by third party advertisement hubs, which
facilitates real-time bidding for advertisers.
Maximum Storage Duration: SessionType: Pixel Tracker
RichHistoryCollects data on visitors' preferences and behaviour on the
website - This information is used make content and advertisement more
relevant to the specific visitor.
Maximum Storage Duration: SessionType: HTML Local Storage
* Yandex
21
Learn more about this provider
_ym#_lastHitPending
Maximum Storage Duration: PersistentType: HTML Local Storage
_ym#_lsidPending
Maximum Storage Duration: PersistentType: HTML Local Storage
_ym_syncedTracks the user’s interaction with the website’s
search-bar-function. This data can be used to present the user with
relevant products or services.
Maximum Storage Duration: PersistentType: HTML Local Storage
_ym_uidCollects data on the user’s navigation and behavior on the website.
This is used to compile statistical reports and heatmaps for the website
owner.
Maximum Storage Duration: PersistentType: HTML Local Storage
_ym_wv2rf:#:0Pending
Maximum Storage Duration: PersistentType: HTML Local Storage
sync_cookie_okUsed for data-synchronization with advertisement networks.
Maximum Storage Duration: 1 dayType: HTTP Cookie
watch/# [x2]Pending
Maximum Storage Duration: SessionType: Pixel Tracker
webvisor/#Pending
Maximum Storage Duration: SessionType: Pixel Tracker
_ym_d [x2]Contains the date of the visitor's first visit to the website.
Maximum Storage Duration: 1 yearType: HTTP Cookie
_ym_isad [x2]This cookie is used to determine if the visitor has any
adblocker software in their browser – this information can be used to make
website content inaccessible to visitors if the website is financed with
third-party advertisement.
Maximum Storage Duration: 1 dayType: HTTP Cookie
_ym_uid [x2]This cookie is used to collect non-personal information on the
visitor's website behavior and non-personal visitor statistics.
Maximum Storage Duration: 1 yearType: HTTP Cookie
_ym_visorc [x2]Saves information of actions that have been carried out by
the user during the current visit to the website, including searches with
keywords included.
Maximum Storage Duration: 1 dayType: HTTP Cookie
metrika_enabled [x2]Used to track visitors on multiple websites, in order
to present relevant advertisement based on the visitor's preferences.
Maximum Storage Duration: SessionType: HTTP Cookie
sync_cookie_image_finishUsed for data-synchronization with advertisement
networks.
Maximum Storage Duration: SessionType: Pixel Tracker
yuidssCollects information on user behaviour on multiple websites. This
information is used in order to optimize the relevance of advertisement on
the website.
Maximum Storage Duration: 400 daysType: HTTP Cookie
* YouTube
15
Learn more about this provider
LAST_RESULT_ENTRY_KEYUsed to track user’s interaction with embedded
content.
Maximum Storage Duration: SessionType: HTTP Cookie
nextIdUsed to track user’s interaction with embedded content.
Maximum Storage Duration: SessionType: HTTP Cookie
remote_sidNecessary for the implementation and functionality of YouTube
video-content on the website.
Maximum Storage Duration: SessionType: HTTP Cookie
requestsUsed to track user’s interaction with embedded content.
Maximum Storage Duration: SessionType: HTTP Cookie
TESTCOOKIESENABLEDUsed to track user’s interaction with embedded content.
Maximum Storage Duration: 1 dayType: HTTP Cookie
VISITOR_INFO1_LIVETries to estimate the users' bandwidth on pages with
integrated YouTube videos.
Maximum Storage Duration: 180 daysType: HTTP Cookie
YSCRegisters a unique ID to keep statistics of what videos from YouTube
the user has seen.
Maximum Storage Duration: SessionType: HTTP Cookie
ytidb::LAST_RESULT_ENTRY_KEYStores the user's video player preferences
using embedded YouTube video
Maximum Storage Duration: PersistentType: HTML Local Storage
yt-remote-cast-availableStores the user's video player preferences using
embedded YouTube video
Maximum Storage Duration: SessionType: HTML Local Storage
yt-remote-cast-installedStores the user's video player preferences using
embedded YouTube video
Maximum Storage Duration: SessionType: HTML Local Storage
yt-remote-connected-devicesStores the user's video player preferences
using embedded YouTube video
Maximum Storage Duration: PersistentType: HTML Local Storage
yt-remote-device-idStores the user's video player preferences using
embedded YouTube video
Maximum Storage Duration: PersistentType: HTML Local Storage
yt-remote-fast-check-periodStores the user's video player preferences
using embedded YouTube video
Maximum Storage Duration: SessionType: HTML Local Storage
yt-remote-session-appStores the user's video player preferences using
embedded YouTube video
Maximum Storage Duration: SessionType: HTML Local Storage
yt-remote-session-nameStores the user's video player preferences using
embedded YouTube video
Maximum Storage Duration: SessionType: HTML Local Storage
* kasperskyform.eu
2
BITRIX_SM_kernelCollects information on user preferences and/or
interaction with web-campaign content - This is used on
CRM-campaign-platform used by website owners for promoting events or
products.
Maximum Storage Duration: 1 dayType: HTTP Cookie
BITRIX_SM_kernel_0Collects information on user preferences and/or
interaction with web-campaign content - This is used on
CRM-campaign-platform used by website owners for promoting events or
products.
Maximum Storage Duration: 1 dayType: HTTP Cookie
* yandex.com
yandex.ru
4
_yasc [x2]Collects data on the user across websites - This data is used to
make advertisement more relevant.
Maximum Storage Duration: 10 yearsType: HTTP Cookie
bh [x2]Collects data on user behaviour and interaction in order to
optimize the website and make advertisement on the website more relevant.
Maximum Storage Duration: 400 daysType: HTTP Cookie
* yandex.ru
yandex.com
2
yashr [x2]Pending
Maximum Storage Duration: 1 yearType: HTTP Cookie
* Unclassified 4
Unclassified cookies are cookies that we are in the process of classifying,
together with the providers of individual cookies.
* Meta Platforms, Inc.
1
Learn more about this provider
__test__#Pending
Maximum Storage Duration: SessionType: HTML Local Storage
* Yandex
1
Learn more about this provider
__ym_tab_guidPending
Maximum Storage Duration: SessionType: HTML Local Storage
* kasperskyform.eu
2
b24-analytics-counter-22-viewPending
Maximum Storage Duration: SessionType: HTML Local Storage
qmbPending
Maximum Storage Duration: SessionType: HTTP Cookie
Cross-domain consent2 Your consent applies to the following domains:
List of domains your consent applies to: securelist.lat securelist.com
Cookie declaration last updated on 10/30/24 by Cookiebot
[#IABV2_TITLE#]
[#IABV2_BODY_INTRO#]
[#IABV2_BODY_LEGITIMATE_INTEREST_INTRO#]
[#IABV2_BODY_PREFERENCE_INTRO#]
[#IABV2_LABEL_PURPOSES#]
[#IABV2_BODY_PURPOSES_INTRO#]
[#IABV2_BODY_PURPOSES#]
[#IABV2_LABEL_FEATURES#]
[#IABV2_BODY_FEATURES_INTRO#]
[#IABV2_BODY_FEATURES#]
[#IABV2_LABEL_PARTNERS#]
[#IABV2_BODY_PARTNERS_INTRO#]
[#IABV2_BODY_PARTNERS#]
Cookies are small text files that can be used by websites to make a user's
experience more efficient.
The law states that we can store cookies on your device if they are strictly
necessary for the operation of this site. For all other types of cookies we need
your permission.
This site uses different types of cookies. Some cookies are placed by third
party services that appear on our pages.
You can at any time change or withdraw your consent from the Cookie Declaration
on our website.
Learn more about who we are, how you can contact us and how we process personal
data in our Privacy Policy.
Please state your consent ID and date when you contact us regarding your
consent.
Do not sell or share my personal information
Use necessary cookies only Allow selection Customize
Allow all cookies
Solutions for:
* Home Products
* Small Business 1-50 employees
* Medium Business 51-999 employees
* Enterprise 1000+ employees
by Kaspersky
* CompanyAccount
* Get In Touch
* Dark mode off
* English
* Russian
* Spanish
* Solutions
* * Internet of Things & Embedded Security
Learn More
* Industrial Cybersecurity
Learn More
* Fraud Prevention
Learn More
* KasperskyOS-based solutions
Learn More
* * OTHER SOLUTIONS
* Kaspersky for Security Operations Center
* Kaspersky IoT Infrastructure Security
* Kaspersky Secure Remote Workspace
* Industries
* * National Cybersecurity
Learn More
* Industrial Cybersecurity
Learn More
* Finance Services Cybersecurity
Learn More
* Healthcare Cybersecurity
Learn More
* Transportation Cybersecurity
Learn More
* Retail Cybersecurity
Learn More
* * OTHER INDUSTRIES
* Telecom Cybersecurity
* View all
* Products
* * Kaspersky Next NEW!
Learn More
* KasperskyXDR
Learn More
* KasperskyEndpoint Security for Business
Learn More
* KasperskyEDR Expert
Learn More
* KasperskyEDR Optimum
Learn More
* KasperskyAnti Targeted Attack Platform
Learn More
* KasperskyHybrid Cloud Security
Learn More
* KasperskySD-WAN
Learn More
* KasperskyIndustrial CyberSecurity
Learn More
* KasperskyContainer Security
Learn More
* * OTHER PRODUCTS
* Kaspersky Security for Internet Gateway
* Kaspersky Embedded Systems Security
* Kaspersky IoT Infrastructure Security
* Kaspersky Secure Remote Workspace
* Kaspersky Security for Mail Server
* View All
* Services
* * KasperskyCybersecurity Services
Learn More
* KasperskySecurity Awareness
Learn More
* KasperskyPremium Support
Learn More
* KasperskyThreat Intelligence
Learn More
* KasperskyManaged Detection and Response
Learn More
* KasperskyCompromise Assessment
Learn More
* KasperskySOC Consulting
Learn More
* * OTHER SERVICES
* Kaspersky Professional Services
* Kaspersky Incident Response
* Kaspersky Cybersecurity Training
* View All
* Resource Center
* Case Studies
* White Papers
* Datasheets
* Technologies
* MITRE ATT&CK
* About Us
* Transparency
* Corporate News
* Press Center
* Careers
* Sponsorship
* Policy Blog
* Contacts
* GDPR
* Subscribe Dark mode off Login
* Securelist menu
* English
* Russian
* Spanish
* Existing Customers
* Personal
* My Kaspersky
* Renew your product
* Update your product
* Customer support
* Business
* KSOS portal
* Kaspersky Business Hub
* Technical Support
* Knowledge Base
* Renew License
* Home
* Products
* Trials&Update
* Resource Center
* Business
* Kaspersky Next
* Small Business (1-50 employees)
* Medium Business (51-999 employees)
* Enterprise (1000+ employees)
*
* Securelist
* Threats
* Financial threats
* Mobile threats
* Web threats
* Secure environment (IoT)
* Vulnerabilities and exploits
* Spam and Phishing
* Industrial threats
* Categories
* APT reports
* Incidents
* Research
* Malware reports
* Spam and phishing reports
* Publications
* Kaspersky Security Bulletin
* Archive
* All Tags
* APT Logbook
* Webinars
* Statistics
* Encyclopedia
* Threats descriptions
* KSB 2021
*
* About Us
* Company
* Transparency
* Corporate News
* Press Center
* Careers
* Sponsorships
* Policy Blog
* Contacts
* Partners
* Find a Partner
* Partner Program
Content menu Close
Subscribe
by Kaspersky
Dark mode off
Threats
Threats
* APT (Targeted attacks)
* Secure environment (IoT)
* Mobile threats
* Financial threats
* Spam and phishing
* Industrial threats
* Web threats
* Vulnerabilities and exploits
* All threats
Categories
Categories
* APT reports
* Malware descriptions
* Security Bulletin
* Malware reports
* Spam and phishing reports
* Security technologies
* Research
* Publications
* All categories
Other sections
* Archive
* All tags
* Webinars
* APT Logbook
* Statistics
* Encyclopedia
* Threats descriptions
* KSB 2023
Malware descriptions
YMIR: NEW STEALTHY RANSOMWARE IN THE WILD
Malware descriptions
11 Nov 2024
10 minute read
Table of Contents
* Introduction
* Analysis
* Static analysis
* Dynamic analysis
* YARA rule
* Telemetry
* The ransomware incident
* Conclusion
* Tactics, techniques and procedures
* Indicators of Compromise
Authors
* Cristian Souza
* Ashley Muñoz
* Eduardo Ovalle
INTRODUCTION
In a recent incident response case, we discovered a new and notable ransomware
family in active use by the attackers, which we named “Ymir”. The artifact has
interesting features for evading detection, including a large set of operations
performed in memory with the help of the malloc, memmove and memcmp function
calls.
In the case we analyzed, the attacker was able to gain access to the system via
PowerShell remote control commands. After that, they installed multiple tools
for malicious actions, such as Process Hacker and Advanced IP Scanner.
Eventually, after reducing system security, the adversary ran Ymir to achieve
their goals.
In this post, we provide a detailed analysis of the Ymir ransomware, as well the
tactics, techniques and procedures (TTPs) employed by the attackers.
ANALYSIS
STATIC ANALYSIS
Our analysis began with a basic inspection of the artifact. We started by
analyzing its properties, such as the file type, and relevant strings and
capabilities, as shown in the table and images below.
Hash Value MD5 12acbb05741a218a1c83eaa1cfc2401f SHA-1
3648359ebae8ce7cacae1e631103659f5a8c630e SHA-256
cb88edd192d49db12f444f764c3bdc287703666167a4ca8d533d51f86ba428d8
File type identification
Although the binary does not raise suspicions of being packed, as its entropy is
not high enough, the presence of API calls to functions like malloc, memmove and
memcmp indicates that it can allocate memory to insert malicious code.
Calls for memory operation functions
The binary also suspiciously imports functions, such as CryptAcquireContextA,
CryptReleaseContext, CryptGenRandom, TerminateProcess and WinExec, from
operating system libraries. These API calls are typically found in various
ransomware samples.
Suspicious malware imports
Even though most of the sample information is unpacked in memory during runtime,
we were able to find some useful indicators in the binary strings, including the
ransom note filename and contents in a PDF file, encryption extension,
PowerShell commands, and some hashes used by the encryption algorithms, as shown
in the following images.
PDF contents
PowerShell auto-delete command and encryption hashes
The attacker used the MinGW compiler, a native Windows port of the GNU Compiler
Collection (GCC).
Compiler string
The following table shows other useful string indicators we found in the course
of our analysis.
Type Value Description String (command) powershell -w h -c Start-Sleep -Seconds
5; Remove-Item -Force -Path Auto-delete command execution via PowerShell. String
(URL)
hxxps://github[.]com/qTox/qTox/releases/download/v1.17.6/setup-qtox-x86_64-release.exe
Present in the PDF, software (qTox client) for contacting the attackers. String
6C5oy2dVr6 Encryption extension. String (filename) INCIDENT_REPORT.pdf Ransom
note PDF filename. PDFs are placed in various directories. String (date)
D:20240831154833-06’00’ PDF creation date metadata. String x64dbg Debugger name.
One interesting fact is that the PDF creation date was August 31, 2024, which
matches the binary compilation timestamp (2024-08-31), as shown in the image
below.
Malware compilation timestamp
Static analysis also shows that the PDF used as the ransom note is present in
the .data section of the binary. The information hardcoded in this kind of file
is very useful for creating detection rules and indicators of compromise.
PDF file containing a ransom note
After reaching the main function, the malware executes another function with
calls to other functions to get system information. To streamline our analysis,
we renamed this function to Get_System_Information:
Malware entry point
Get_System_information function and its sub-functions
The artifact gathers system information by using the API calls listed below.
* GetSystemTimeAsFileTime: retrieves the current system date and time.
* GetCurrentProcessId: gets the current process identifier (PID).
* GetCurrentThreadId: retrieves the identifier of the calling thread.
* GetTickCount: gets the amount of time that the system has been running for in
milliseconds. This is used for detecting that the artifact is being debugged.
* QueryPerformanceCounter: retrieves the current value of the performance
counter, which can be used for time-interval measurements.
System information gathering
The malware also contains some execution restrictions which are activated when
certain parameters are set. For example, the --path parameter disables
self-delete, allowing the attacker to reuse the binary for other directories.
The artifact is not deleted when running with the –path parameter
While reverse-engineering the sample, we found that it borrowed code from
functions related to CryptoPP, an open-source cryptographic library written in
C++.
CryptoPP functions
The malware also has a hardcoded list of file name extensions to exclude from
encryption.
File name extensions to ignore
DYNAMIC ANALYSIS
While running the ransomware, we spotted hundreds of calls to the memmove
function. After analyzing the data, we found that it loaded small pieces of
instructions into memory for performing malicious functions. The following image
shows a fragment of the malware loading environment variables after calling
memmove.
Environment variables loaded into memory
The malware constantly uses the memmove function while enumerating
subdirectories and files inside the affected system, so they can be encrypted
later.
Directory enumeration
It also uses memmove to load strings that contain locations in the victim’s
filesystem and are used for comparing with common directory names during
runtime.
Strings loaded via memmove
The sample uses the RtlCopyMemory function from the ntdll.dll library to load
additional libraries, such as CRYPTSP.dll, rsaenh.dll, bcrypt.dll and
kernelbase.dll.
Runtime loading of DLLs
The artifact uses the stream cipher ChaCha20 algorithm to encrypt files,
appending the extension .6C5oy2dVr6 to each encrypted file.
ChaCha20 encryption
Additionally, it copies the PDF contents from the .data section and uses the
_write and _fsopen functions to generate a ransom note in PDF format within
every directory in the affected system.
Ransom note write operation
The ransom note informs the victim about what happened to the affected system
and instructs them to contact the attackers for a deal. Although the note
mentions that the attackers have stolen the data from the affected machine, the
malware does not have any network capabilities for data exfiltration. This leads
us to believe that the adversaries would steal data with other means once they
obtained access to the computer, such as through HTTP, FTP or cloud storage
uploads.
Ransom note fragment
We spotted one odd string, a comment written in the Lingala language. This
language is used in the Democratic Republic of the Congo, Republic of the Congo,
Angola and the Central African Republic.
Comment in Lingala found during malware execution
Another interesting fact is that the sample searches for PowerShell in each
subdirectory as it repeatedly calls the RtlCopyMemory function. Once PowerShell
is located, the malware uses it for deleting itself. In our investigation, we
copied powershell.exe into our Desktop folder, so it was used for deleting the
sample.
PowerShell binary search
The following diagram shows a summary of the sample’s execution. Note that the
only child process created was powershell.exe — the malware creates a PowerShell
instance even if it finds one in the system. Subsequently, PowerShell calls
conhost.exe, which is used for running services in the background.
Malicious processes
Process tree
The malware calls PowerShell with the cmdlet Start-Sleep to wait 5 seconds, and
finally, uses the Remove-Item command to delete itself from the machine, as
shown in the image below.
PowerShell command execution
YARA RULE
Based on our analysis of the sample, we developed the following YARA rule for
detecting the threat in real time. The rule considers the file type, relevant
strings and library function imports.
import "pe" rule Ymir { meta: author = "Kaspersky - GERT" description = "Yara
rule for detecting the Ymir ransomware." target_entity = "file" strings: $s1 =
"powershell -w h -c Start-Sleep -Seconds 5; Remove-Item -Force -Path" wide ascii
nocase $s2 = "setup-qtox-x86_64-release.exe" wide ascii nocase $s3 =
"6C5oy2dVr6" wide ascii nocase $s4 = "INCIDENT_REPORT.pdf" wide ascii nocase $s5
= "D:20240831154833-06" wide ascii nocase $s6 = "ChaCha" wide ascii nocase $s7 =
"x64dbg" wide ascii nocase condition: (3 of ($s*)) and pe.imports("msvcrt.dll",
"memmove") }
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
import "pe"
rule Ymir
{
meta:
author = "Kaspersky - GERT"
description = "Yara rule for detecting the Ymir ransomware."
target_entity = "file"
strings:
$s1 = "powershell -w h -c Start-Sleep -Seconds 5; Remove-Item -Force -Path"
wide ascii nocase
$s2 = "setup-qtox-x86_64-release.exe" wide ascii nocase
$s3 = "6C5oy2dVr6" wide ascii nocase
$s4 = "INCIDENT_REPORT.pdf" wide ascii nocase
$s5 = "D:20240831154833-06" wide ascii nocase
$s6 = "ChaCha" wide ascii nocase
$s7 = "x64dbg" wide ascii nocase
condition:
(3 of ($s*)) and pe.imports("msvcrt.dll", "memmove")
}
TELEMETRY
Using the above rule, we were able to query threat intelligence portals and find
a similar sample originating from Pakistan. We believe that the attacker used a
VPN network or Tor to hide their IP. The artifact we discovered looks like a
test binary sent by the attacker to check if it would be detected by security
vendors. The sample receives a --path parameter from the command line, which
specifies the directory to be encrypted. However, it neither encrypts the files
nor generates a ransom note.
Execution of the test sample
What caught our attention was that this test version of the executable,
similarly to the full-featured sample, did not delete itself when executed with
the --path parameter, which made sense, since the adversary might want to select
certain directories during the attack.
By comparing the two detections, we concluded that the final sample with the
fully enabled encryption features, unlike the test variant, had extended
functionality implemented in additional strings. These included the extension
appended to the name of the encrypted files ( .6C5oy2dVr6) and the information
present in the PDF file generated as a ransom note.
YARA matches comparison
At the time of our research, 12 security vendors including Kaspersky detected
the threat.
THE RANSOMWARE INCIDENT
In addition to analyzing the malware, we managed to investigate an incident in
Colombia where the Ymir sample was obtained. Our forensic analysis revealed that
crucial evidence had been lost through the attacker’s efforts to cover their
tracks. We at Kaspersky GERT were able to identify that two days before the
ransomware deployment, a new RustyStealer threat was detected on multiple
systems, allowing the attackers to control the machines, send commands, and
gather information from compromised infrastructure. Malicious activity was
detected on a domain controller shortly after, including compromised access on
behalf of legitimate users, including one with high privileges. The initial
RustyStealer sample was a PE file compiled with Rust and deployed to
Windows\Temp under the name AudioDriver2.0.exe.
Filename AudioDriver2.0.exe Size 3334144 bytes (3.2 MB) MD5
5ee1befc69d120976a60a97d3254e9eb SHA-1 e6c4d3e360a705e272ae0b505e58e3d928fb1387
This sample, named Trojan.Win32.Sheller.ey by Kaspersky, has the ability of
gathering information about the file system. This sample has obfuscated content
for obstructing analysis and includes shared modules indicating that the
artifact can invoke functions from APIs, such as native Windows DLLs.
This sample also connects to the C2 server 74.50.84[.]181 on port 443, detected
by Kaspersky as a host for malicious files since August 2024.
C2 server
The attackers compromised the domain controller and used it to continue
infiltrating systems in the targeted infrastructure. They abused compromised
credentials gathered by the stealer to hop between systems using WinRM and
PowerShell remote control capabilities, and then executed a set of two scripts
that were confirmed to be a part of the proxy malware threat SystemBC.
Filename 1.ps1 1.ps1 Size 16239 bytes (15 KiB) 4209 bytes (4 KiB) MD5
5384d704fadf229d08eab696404cbba6 39df773139f505657d11749804953be5 Path
%windir%\temp\ HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Both scripts use PowerShell to establish a covert channel to the IP address
94.158.244[.]69 on port 443. Based on the strings from the scripts we were able
to obtain, we implemented Yara rules for identifying other samples and C2
servers configured with the same codification and spotted in the wild.
SHA256 First seen First reported from C2 server Verdict
8287d54c83db03b8adcdf1409f5d1c9abb1693ac
8d000b5ae75b3a296cb3061c 2024-09-16 03:24:06 UTC Australia 94.158.244[.]69
51ffc0b7358b7611492ef458fdf9b97f121e49e70f
86a6b53b93ed923b707a03 2024-08-18 18:59:01 UTC Ukraine 85.239.61[.]60
UDS:Trojan.PowerShell.
Dnoper.posh b087e1309f3eab6302d7503079af1ad6af06d70a9
32f7a6ae1421b942048e28a 2024-08-17 02:43:55 UTC Ukraine 85.239.61[.]60
Trojan.MSIL.Dnoper.sb
One of these scripts was spotted in multiple systems, collected as a script
block for PowerShell that included a different approach and a different C2
system (5.255.117[.]134 on port 80). It was probably used to exfiltrate
information from the infrastructure according to the following hardcoded
functions and their instructions.
* GetServerByFilename,
* SendFile,
* SearchRoot.
GetServerByFilename function
The script establishes communication with the C2 server and sends information,
including a specific key that allows the attacker to identify the affected
company.
The URI includes a unique key for each victim
Information that will be sent to C2 server
The SearchRoot function contains a loop that searches for all files that are
included in the requested folder and checks for a specific filter: the malware
only uploads files with a size greater than 40 KB that were created after a
specified date.
Search function
File search procedure
The script is Base64 encoded and passed to the following command for execution.
$selfpath\powershell.exe -Version 5.1 -s -NoLogo -NoProfile -EncodedCommand
<B64CMD>
1
$selfpath\powershell.exe -Version 5.1 -s -NoLogo -NoProfile -EncodedCommand
<B64CMD>
According to our GERT analysis, at the time of the research, there was a service
configured at this IP address (5.255.117[.]134) for uploading files that were
collected with the SystemBC scripts.
Active webservice
At the same time, multiple creations and executions of the well-known programs
Advanced IP Scanner and Process Hacker were alerted on several systems.
* advanced_ip_scanner.exe;
* processhacker-2.39-setup.exe.
Finally, two days after the initial RustyStealer intrusion, attackers deployed
the Ymir ransomware by executing remote connections and uploading the payload.
Some traces of the execution were detected, in particular those associated with
the PowerShell self-destruct script. Also, a part of the ransom note was
configured in the registry key field legalnoticecaption, located in
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System, which invites
the user to look for additional details in the ransom note, named
“INCIDENT_REPORT.pdf”:
Part of the ransom note from the registry
CONCLUSION
A link between malware stealer botnets acting as access brokers and the
ransomware execution is evident. The Ymir development represents a threat to all
types of companies and confirms the existence of emerging groups that can impact
business and organizations with a configurable, robust and well-developed
malware. We have seen initial access brokers invade an organization and ensure
persistence. Ymir was deployed to the targeted system shortly after. This new
ransomware family was configured in a secure scheme, making it impossible to
decrypt the files from the targeted system. The group behind this threat has not
presented a dedicated leak site or any additional information yet, but we will
continue monitoring their activity. Alerts were triggered two days prior to the
ransomware incident, and the lack of action on the critical system warnings
allowed the attackers to launch the ransomware. This highlights the need for
improved response strategies beyond relying solely on endpoint protection
platforms (EPP).
Kaspersky products detect this new threat as Trojan-Ransom.Win64.Ymir.gen.
TACTICS, TECHNIQUES AND PROCEDURES
Below are the Ymir TTPs identified from our malware analysis.
Tactic Technique ID Discovery File and Directory Discovery T1083 Discovery
System Information Discovery T1082 Execution Command and Scripting Interpreter:
PowerShell T1059.001 Impact Data Encrypted for Impact T1486 Defense evasion
Virtualization/Sandbox Evasion: Time Based Evasion T1497.003 Defense evasion
Indicator Removal: File Deletion T1070.004
RustyStealer TTPs:
Tactic Technique ID Discovery File and Directory Discovery T1083 Discovery
Process Discovery T1057 Execution Shared Modules T1129 Defense evasion
Obfuscated Files or Information T1027
INDICATORS OF COMPROMISE
File Hashes
3648359ebae8ce7cacae1e631103659f5a8c630e
fe6de75d6042de714c28c0a3c0816b37e0fa4bb3
f954d1b1d13a5e4f62f108c9965707a2aa2a3c89 (INCIDENT_REPORT.pdf)
5ee1befc69d120976a60a97d3254e9eb
5384d704fadf229d08eab696404cbba6
39df773139f505657d11749804953be5
8287d54c83db03b8adcdf1409f5d1c9abb1693ac8d000b5ae75b3a296cb3061c
51ffc0b7358b7611492ef458fdf9b97f121e49e70f86a6b53b93ed923b707a03
b087e1309f3eab6302d7503079af1ad6af06d70a932f7a6ae1421b942048e28a
IPs
74.50.84[.]181:443
94.158.244[.]69:443
5.255.117[.]134:80
85.239.61[.]60
* Data Encryption
* Incident response
* Malware
* Malware Descriptions
* Malware Technologies
* PowerShell
* Ransomware
* Trojan
* Trojan-stealer
Authors
* Cristian Souza
* Ashley Muñoz
* Eduardo Ovalle
Ymir: new stealthy ransomware in the wild
Your email address will not be published. Required fields are marked *
Name *
Email *
Cancel
Δ
Table of Contents
* Introduction
* Analysis
* Static analysis
* Dynamic analysis
* YARA rule
* Telemetry
* The ransomware incident
* Conclusion
* Tactics, techniques and procedures
* Indicators of Compromise
GReAT webinars
13 May 2021, 1:00pm
GREAT IDEAS. BALALAIKA EDITION
* Boris Larin
* Denis Legezo
26 Feb 2021, 12:00pm
GREAT IDEAS. GREEN TEA EDITION
* John Hultquist
* Brian Bartholomew
* Suguru Ishimaru
* Vitaly Kamluk
* Seongsu Park
* Yusuke Niwa
* Motohiko Sato
17 Jun 2020, 1:00pm
GREAT IDEAS. POWERED BY SAS: MALWARE ATTRIBUTION AND NEXT-GEN IOT HONEYPOTS
* Marco Preuss
* Denis Legezo
* Costin Raiu
* Kurt Baumgartner
* Dan Demeter
* Yaroslav Shmelev
26 Aug 2020, 2:00pm
GREAT IDEAS. POWERED BY SAS: THREAT ACTORS ADVANCE ON NEW FRONTS
* Ivan Kwiatkowski
* Maher Yamout
* Noushin Shabab
* Pierre Delcher
* Félix Aime
* Giampaolo Dedola
* Santiago Pontiroli
22 Jul 2020, 2:00pm
GREAT IDEAS. POWERED BY SAS: THREAT HUNTING AND NEW TECHNIQUES
* Dmitry Bestuzhev
* Costin Raiu
* Pierre Delcher
* Brian Bartholomew
* Boris Larin
* Ariel Jungheit
* Fabio Assolini
From the same authors
A DEEP DIVE INTO THE MOST INTERESTING INCIDENT RESPONSE CASES OF LAST YEAR
SHRINKLOCKER: TURNING BITLOCKER INTO RANSOMWARE
USING THE LOCKBIT BUILDER TO GENERATE TARGETED RANSOMWARE
LOCKBIT LEAK, RESEARCH OPPORTUNITIES ON TOOLS LEAKED FROM TAS
SUBSCRIBE TO OUR WEEKLY E-MAILS
The hottest research right in your inbox
Email(Required)
(Required)
I agree to provide my email address to “AO Kaspersky Lab” to receive information
about new posts on the site. I understand that I can withdraw this consent at
any time via e-mail by clicking the “unsubscribe” link that I find at the bottom
of any e-mail sent to me for the purposes mentioned above.
Subscribe
Δ
In the same category
QSC: A MULTI-PLUGIN FRAMEWORK USED BY CLOUDCOMPUTATING GROUP IN CYBERESPIONAGE
CAMPAIGNS
NEW STEELFOX TROJAN MIMICS SOFTWARE ACTIVATORS, STEALING SENSITIVE DATA AND
MINING CRYPTOCURRENCY
LUMMA/AMADEY: FAKE CAPTCHAS WANT TO KNOW IF YOU’RE HUMAN
GRANDOREIRO, THE GLOBAL TROJAN WITH GRANDIOSE GOALS
SCAM INFORMATION AND EVENT MANAGEMENT
LATEST POSTS
Research
LOOSE-LIPPED NEURAL NETWORKS AND LAZY SCAMMERS
* Vladislav Tushkanov
SOC, TI and IR posts
RISK REDUCTION REDEFINED: HOW COMPROMISE ASSESSMENT HELPS STRENGTHEN
CYBERDEFENSES
* Victor Sergeev
* Amged Wageh
* Ahmed Khlief
Malware descriptions
LUMMA/AMADEY: FAKE CAPTCHAS WANT TO KNOW IF YOU’RE HUMAN
* Vasily Kolesnikov
SAS
THE CRYPTO GAME OF LAZARUS APT: INVESTORS VS. ZERO-DAYS
* Boris Larin
* Vasily Berdnikov
LATEST WEBINARS
Threat intelligence and IR
04 Sep 2024, 5:00pm 60 min
INSIDE THE DARK WEB: EXPLORING THE HUMAN SIDE OF CYBERCRIMINALS
* Anna Pavlovskaya
Technologies and services
13 Aug 2024, 5:00pm 60 min
THE CYBERSECURITY BUYER’S DILEMMA: HYPE VS (TRUE) EXPERTISE
* Oleg Gorobets
* Alexander Liskin
Cyberthreat talks
16 Jul 2024, 5:00pm 60 min
CYBERSECURITY’S HUMAN FACTOR – MORE THAN AN UNPATCHED VULNERABILITY
* Oleg Gorobets
Trainings and workshops
09 Jul 2024, 4:00pm 60 min
BUILDING AND PRIORITIZING DETECTION ENGINEERING BACKLOGS WITH MITRE ATT&CK
* Andrey Tamoykin
REPORTS
BEYOND THE SURFACE: THE EVOLUTION AND EXPANSION OF THE SIDEWINDER APT GROUP
Kaspersky analyzes SideWinder APT’s recent activity: new targets in the
MiddleEast and Africa, post-exploitation tools and techniques.
BLINDEAGLE FLYING HIGH IN LATIN AMERICA
Kaspersky shares insights into the activity and TTPs of the BlindEagle APT,
which targets organizations and individuals in Colombia, Ecuador, Chile, Panama
and other Latin American countries.
EASTWIND CAMPAIGN: NEW CLOUDSORCERER ATTACKS ON GOVERNMENT ORGANIZATIONS IN
RUSSIA
Kaspersky has identified a new EastWind campaign targeting Russian organizations
and using CloudSorcerer as well as APT31 and APT27 tools.
APT TRENDS REPORT Q2 2024
The report features the most significant developments relating to APT groups in
Q2 2024, including the new backdoor in Linux utility XZ, a new RAT called
SalmonQT, and hacktivist activity.
SUBSCRIBE TO OUR WEEKLY E-MAILS
The hottest research right in your inbox
Email(Required)
(Required)
I agree to provide my email address to “AO Kaspersky Lab” to receive information
about new posts on the site. I understand that I can withdraw this consent at
any time via e-mail by clicking the “unsubscribe” link that I find at the bottom
of any e-mail sent to me for the purposes mentioned above.
Subscribe
Δ
Threats
Threats
* APT (Targeted attacks)
* Secure environment (IoT)
* Mobile threats
* Financial threats
* Spam and phishing
* Industrial threats
* Web threats
* Vulnerabilities and exploits
* All threats
Categories
Categories
* APT reports
* Malware descriptions
* Security Bulletin
* Malware reports
* Spam and phishing reports
* Security technologies
* Research
* Publications
* All categories
Other sections
* Archive
* All tags
* Webinars
* APT Logbook
* Statistics
* Encyclopedia
* Threats descriptions
* KSB 2023
© 2024 AO Kaspersky Lab. All Rights Reserved.
Registered trademarks and service marks are the property of their respective
owners.
* Privacy Policy
* License Agreement
* Cookies
SUBSCRIBE TO OUR WEEKLY E-MAILS
The hottest research right in your inbox
Email(Required)
(Required)
I agree to provide my email address to “AO Kaspersky Lab” to receive information
about new posts on the site. I understand that I can withdraw this consent at
any time via e-mail by clicking the “unsubscribe” link that I find at the bottom
of any e-mail sent to me for the purposes mentioned above.
Subscribe
Δ
Notifications