A newly observed ransomware strain has the community talking about more collaboration, and blurred lines, between threat groups next year, according to NCC’s monthly cyber barometer
Change appears to be afoot in the threat landscape, according to NCC Group’s latest monthly Threat pulse report for November, which reveals insight into an emergent ransomware strain called Ymir that demonstrates how threat actors are increasingly acting cooperatively.
The emergence of a strain of ransomware called Ymir may prove to be prima facie evidence of this. Documented for the first time during the summer, Ymir first targets victims with the RustyStealer infostealer – usually used to obtain credentials and as a spyware dropper, prior to deploying its locker.
In the only Ymir attack for which we have much detail – obtained via Kaspersky, which analysed an attack in Columbia – the crew executed the final stage of its attack very swiftly, avoiding the attention of defenders.
Its entirely novel locker is extensively configurable and tailored to the victim. It appears to focus solely on traditional single-extortion methodology, that is to say it only encrypts the data, it does not steal it, and Ymir’s operators, whoever they may be, do not seem to have a leak site – a somewhat unusual development.
A subtle and slightly unusual clue to the nationality of a core member may be found in the use of a comment string written in the Lingala language, spoken in Angola, Congo and the Democratic Republic of the Congo.
Notably, Ymir’s use of RustyStealer and its remarkably swift turnaround time has divided commentators over whether or not it acted independently or whether it collaborated with someone else in this instance.
“Despite continued sector focus, there’s an interesting picture to paint when it comes to patterns of how threat groups operate,” said Matt Hull, NCC head of threat intelligence. “The collaboration between threat groups and blurring of lines between criminal and state-sponsored activity, often linked to geopolitical tensions, creates a dynamic threat landscape where motives behind attacks can be difficult to discern. This has been further highlighted in warnings issued by the UK’s NCSC in their recent Annual review.”
Threat landscape
Hull said Ymir’s emergence was sparking wider conversations on the links between ransomware gangs and other threat actors, and the current fluidity of the threat landscape.
The past 12 months have served up several incidents in which these lines were blurred to some extent – for example, the apparently successful transition of the KillSec operation from a hacktivist collective to a ransomware operation, or the activities of a Ukrainian hacktivist gang known as Cyber Anarchy Squad that claimed responsibility for a spate of destructive ransomware hits on Russian targets.
Elsewhere, said NCC, hacktivists aligned with the Turk Hack Team hit targets in the Philippines with the leaked LockBit 3.0 locker. And an apparent collaboration between the North Korean Jumpy Pisces APT and the Play ransomware gang – in which the North Koreans possibly acted as an initial access broker (IAB) for the cyber criminals – also sets an interesting, and alarming, precedent.
“This proliferation of ransomware from a wider range of actors than we have previously seen is likely to continue into 2025,” wrote the report’s authors.
“Ransomware has been growing, evolving and becoming steadily more sophisticated in the last few years, and other actors have certainly taken notice ransomware can be used as a means of destruction by hacktivists as an additional measure alongside their more typical DDoS attacks, and help hacktivist operations make money to fund further hacktivist campaigns, or even act as a smokescreen to hide the true activities of a network intrusion by an adversarial APT.”
Ransomware volumes rising
Overall ransomware attack volumes rose 16% in November 2024 compared with the previous month, with NCC’s telemetry recording a total of 565 attacks, over three-quarters of them affecting organisations located in Europe and North America.
The increase in attacks caused a change on the monthly ransomware “chart”, with RansomHub knocked off the top spot with 80 attributable attacks, to be replaced by Akira, which accounted for 87. ElDorado, with 43 attacks, and Killsec, with 33, were also highly active during the period. Broken out by sector, industrials remained the most targeted vertical, followed by consumer discretionary and IT.
NCC said it also observed a “sustained” increase in attacks by the Russian Sandworm advanced persistent threat (APT) actor. Sandworm, which was formally upgraded to a standalone group – APT44 – by Mandiant earlier this year, has been involved in a great many high-profile Russian state cyber attacks, including NotPetya.
Sandworm’s attacks largely centre Ukrainian targets in line with current Russian military tasking, but as winter sets in across Europe, there is evidence that it’s ramping up targeting of energy infrastructure.
“The relentless activity of various cyber threat actors has almost become commonplace, but the focus on the industrial sector, and particularly organisations that operate as part of critical national infrastructure, remains a real concern,” said Hull.
“As 2024 draws to a close, the immediate global threat of ransomware remains, so we’d urge companies to be more vigilant than ever when protecting against attacks,” he said. “And, as we enter the holiday period, please stay secure and be mindful of the usual seasonal influx of scam and phishing emails which impact us all personally at this time of year.”