The evolving threat landscape continues to present new challenges, with NCC Group’s latest Threat Pulse report uncovering the emergence of Ymir ransomware. This new ransomware strain showcases the growing collaboration among cybercriminals to execute highly sophisticated attacks.
First documented during the summer of 2024, Ymir initiates its attack cycle by deploying RustyStealer, an infostealer designed to extract credentials and serve as a spyware dropper. Ymir then enters its locker phase, executing swiftly to avoid detection. According to an analysis by Kaspersky, based on an attack in Colombia, Ymir’s ransomware locker employs a configurable, victim-tailored approach, focusing on a single-extortion model, where data is encrypted but not stolen.
Unlike many modern ransomware groups, Ymir’s operators lack a dedicated leak site for stolen data, further distinguishing them. Linguistic analysis of the code revealed Lingala language strings, suggesting a possible connection to Central Africa. However, experts remain divided on whether Ymir operates independently or collaborates with other threat actors.
Blurred Lines Between Criminal and State-Sponsored Activities
Matt Hull, NCC Group’s Head of Threat Intelligence, emphasized the challenges of attribution in modern cybercrime, noting that blurred lines between criminal groups and state-sponsored actors often complicate motivations. Geopolitical tensions are a driving factor behind these dynamic threat patterns, as highlighted by the UK’s National Cyber Security Centre (NCSC).
Ransomware Trends and Global Incidents
Recent incidents exemplify this evolving threat landscape:
- The KillSec hacktivist group transitioned into ransomware operations.
- Ukraine’s Cyber Anarchy Squad launched destructive attacks targeting Russian organizations.
- North Korea’s Jumpy Pisces APT collaborated with the Play ransomware gang.
- The Turk Hack Team attacked Philippine organizations using leaked LockBit 3.0 lockers.
NCC Group’s report indicates a 16% rise in ransomware incidents in November 2024, with 565 attacks recorded. The industrial sector remains the most targeted, followed by consumer discretionary and IT. Geographically, Europe and North America experienced the highest number of incidents. Akira ransomware overtook RansomHub as the most active group during this period.
State-Backed Threats and Infrastructure Risks
State-backed cyber groups continue to escalate their operations:
- Sandworm, a Russian APT recently reclassified as APT44, has intensified attacks on Ukrainian and European energy infrastructure.
- As winter deepens, threats to critical national infrastructure (CNI) heighten global concerns.
Ransomware is evolving into a multipurpose tool, used by hacktivists to fund operations or to obfuscate advanced persistent threats (APTs). With its trajectory pointing to continued growth and sophistication in 2025, heightened vigilance and proactive measures will be essential to mitigate these risks.
