Numerous systems have been initially targeted with the RustyStealer credential-harvesting tool to facilitate high-privilege account compromise and lateral movement prior to the execution of SystemBC malware-related scripts and exfiltration of data over two days, an analysis from Kaspersky researchers showed. Attackers then proceeded with the deployment of the Ymir ransomware, which conducts system reconnaissance and skips file extensions before encrypting files using the ChaCha20 stream cipher, Kaspersky researchers reported.

Source: SC Magazine