Ymir 勒索軟體：對數據和網路的令人不寒而慄的威脅

什麼是 Ymir 勒索軟體？

Ymir 勒索軟體是一種複雜的勒索軟體，它利用 ChaCha20 加密演算法對受感染系統上的檔案進行加密。這種形式的勒索軟體特別令人畏懼，因為它採用獨特的方法重命名受影響的文件，添加包含隨機字元的副檔名。例如，最初名為“document.pdf”的檔案可以重新命名為“document.pdf.6C5oy2dVr6”，這意味著如果沒有解密金鑰，現在無法存取該檔案。

加密過程結束後，Ymir 勒索軟體留下了明顯的痕跡。受害者在每個受感染的資料夾中都發現了標題為「INCIDENT_REPORT.pdf」的勒索字條。除此之外，Ymir 在登入畫面前顯示全螢幕警告訊息，強調網路已被破壞、資料已加密、敏感資訊已被竊取。

這是完整的勒索信：

#? What happened?
Your network has been compromised and attacked by hackers.
All files have been modified.
Sensitive information has been stolen and handed over to our
experts for analysis.

#? Why did this happen?
Your security system was weak, it allowed your company to be
hacked.

#? What are the possible consequences?
You won't be able to use your data, so the company is frozen. You
will lose money every day.
If you refuse to make a deal, your data will be published on the
internet, sold on darknet forums, shared with journalists and your
competitors.
You will suffer reputational damage, your stock will drop in value,
clients and sponsors will lose trust in you.
Also, if the incident becomes public, you will be noticed by law
enforcement agencies and then a long investigation with freezing
of your company will begin.
You'll get multiple fines in excess of the deal.

#? What do I get if I make a deal?
You get file recovery software. We'll remove the stolen data from our servers and provide proof.
You'll get an incident report and recommendations for protection.
You'll get a guarantee that our team will add you to our whitelist of
untouchable companies and we'll never come back to you again. We will not report the incident to anyone.

#? # Why are you doing this?
We're only interested in the money. We don't care about the rest. We also take pleasure in what we do.

#? How can I trust you?
You have no choice, either you lose everything or you trust us. We don't plan to deceive you. We operate in a public space, every
action we take is discussed.
If we defraud even 1 company, we will never be able to make a
good deal. We will definitely recover your files and we will definitely keep
everything confidential.
We are specialists with years of experience and we respect
ourselves and our reputation.
You'll see that we're a bargain when you contact us.

#? How do I proceed if I don't believe a word you say?
You can go to the recovery or the enforcers, but it will definitely
cost you more than dealing with us.
Recovery will buy our software with your token and sell it to you at
a 300% markup.
The enforcers will trample your company, talk to the lawyers, they
will tell you the consequences.

#? I'm the administrator of this network, what do I do?
Don't try to make a deal on your own, you won't have enough
salary for a few years.
Report the incident to your bosses. They'll find out anyway. We
have their contacts and we'll let them know in three days if no one
contacts us.
If you try to rebuild the network alone and hide the incident from
your bosses, you'll delay the inevitable. At some point, they'll hear
about it on the news and be furious that you denied them the
opportunity to save their company.

#? What do I do?
The first thing you should do is inform your bosses about the
incident.
You'll have to pay us to recover your files. Only we have the unique
token.
Don't try to use any third-party applications to recover your files,
they may be damaged irretrievably.
You need to contact us
You can send us 1-3 modified files and we will prove that we can
recover them. We will provide proof of the stolen data.

RecoverySupport@onionmail.org
To contact us, install qTOX messenger.
hxxps://github.com/qTox/qTox/releases/download/v1.17.6/setupqtox-x86_64-release.exe
Add our contact and we can make a deal.

Tox ID:
CF9AE1B27EAA4BF8C223735BEA15AAE23D5BA312B9D9061C805ABD99C373530DBDCC18B7C3BF

了解 Ymir 勒索軟體的工作原理

全螢幕警報在 Ymir 的策略中發揮關鍵作用，突出了違規的後果並阻止受害者嘗試透過外部手段解密。攻擊者強調，使用未經授權的解密方法可能會導致無法修復的檔案損壞。這項恐嚇訊息敦促受害者通知其組織內的相關當局，從而加大了對攻擊者的要求採取行動的壓力。

隨附的 PDF 贖金說明強調了這種緊迫性，解釋說支付贖金將獲得必要的解密工具，並保證被盜資料將從攻擊者的伺服器中刪除。該說明警告說，不遵守規定可能會導致資料在網路上洩漏、在暗網市場上出售或提供給競爭對手，造成重大財務和聲譽損失。

Ymir 勒索軟體想要什麼

Ymir 勒索軟體的運作動機很明確：經濟利益。攻擊者要求付款以換取解密工具並防止被盜資料的洩漏。這種雙重威脅策略不僅迫使受害者付費以恢復對其文件的訪問，而且還利用了對公共資料暴露的恐懼，這可能會給受影響的組織帶來嚴重影響。

為了讓受害者相信他們的可信度，勒索軟體業者提出解密最多三個文件作為證據，並提供資料竊取的證據。這種策略可以建立對攻擊者主張的信任，並促使受害者遵守規定。

尤彌爾滲透背後的機制

尤米爾攻擊的特徵是多方面、協調一致的行動。初始網路滲透通常透過用於遠端控制的 PowerShell 命令發生。資料竊取通常發生在加密階段之前，通常使用 RustyStealer 惡意軟體進行。 Process Hacker 和 Advanced IP Scanner 等其他工具支援 Ymir 的網路遍歷和系統訪問，而高階記憶體操作則有助於逃避偵測。

這些基於記憶體的操作涉及增量執行程式碼以避免觸發警報。數百個函數呼叫將惡意指令插入內存，增強了 Ymir 的隱蔽性並使其能夠繞過傳統的安全措施。

尤彌爾的自我繁殖能力

Ymir 跨本地網路傳播的能力又增加了一層複雜性。這種自我傳播是透過 WinRM（Windows 遠端管理）和 SystemBC 惡意軟體實現的，利用 PowerShell 指令進行無縫執行。此類方法增加了潛在的損害，將影響範圍從單一受感染的系統擴展到了整個連接設備網路。

解密和資料恢復的挑戰

如果沒有攻擊者的配合，解密由 Ymir 加密的檔案通常是不可能的。這個現實凸顯了勒索軟體攻擊者一旦系統遭到破壞後所擁有的力量。即使受害者決定遵守並支付贖金，也不能確定是否會提供承諾的解密工具或被盜資料是否會被安全刪除。因此，網路安全專家強烈建議不要付費，因為它會延續犯罪活動並為勒索軟體的進一步開發提供資金。

恢復受損檔案的唯一可靠方法是透過預先存在的、未受影響的備份。確保這些備份單獨儲存（例如儲存在離線設備或遠端伺服器上）對於旨在從勒索軟體事件中復原的組織至關重要。

預防措施和最佳實踐

鑑於尤米爾的複雜方法，防止勒索軟體感染至關重要。大多數勒索軟體（包括 Ymir）透過網路釣魚電子郵件、惡意廣告和偽裝成合法軟體的惡意下載進行傳播。用戶在處理來源不明的電子郵件時應謹慎行事，避免點擊可疑連結或附件。僅從經過驗證的來源下載軟體並確保程式透過官方管道保持最新狀態可以降低勒索軟體暴露的風險。

建議在多個安全位置維護備份。透過將乾淨的資料副本儲存在遠端伺服器或離線儲存裝置上，受害者可以繞過贖金並獨立恢復其檔案。

最後的想法

Ymir 勒索軟體清楚地提醒人們網路威脅不斷演變。其先進加密技術、資料外洩和多階段攻擊策略的結合給組織帶來了重大挑戰。保持警惕並遵守網路安全最佳實踐仍然是保護有價值數據和維護網路完整性的前線防禦。