An unidentified threat actor has deployed the Yashma ransomware variant since June 4, 2023, actively targeting English-speaking countries like:-
- Bulgaria
- China
- Vietnam
While this new variant of Yashma ransomware has reemerged after being fixed last year since the release of a decryptor.
This operation was recently identified by the cybersecurity researchers at Cisco Talos, who linked this operation, with moderate confidence, to a probably Vietnamese-origin threat actor.
Threat Actor’s origin
Talos highly believes the threat actor targets English-speaking countries due to ransomware notes on the ‘nguyenvietphat’ GitHub account.
Besides this, the English version suggests the actual intent of the threat actor to target various geographic regions.
GitHub account name and email contact in ransom notes mimic Vietnamese organizations, implying the threat actor’s origin. The ransom note specifies 7-11 p.m. UTC+7 contact time, aligning with the time zone of Vietnam.
Ransom Note Mimics WannaCry Style
The ransom note of the attacker mimics WannaCry’s style, and the ransom gets doubled after three days. While for communication, the threat actor provides a Gmail address and lack of ransom amount, and Bitcoin in the note suggests that the operation is in the early stage.
Once systems are encrypted, the victim’s wallpaper changes to a note of encryption. Yashma ransomware is a rebrand of Chaos ransomware from May 2022, and this new variant mostly retains the features of the original ransomware.
The ransom note mimics the style of WannaCry ransomware, potentially aimed at confusing the targets and hiding the identity of the threat actor.
However, the new variant downloads the ransom note from a threat actor’s GitHub repo instead of storing it within the ransomware.
This transformation evades the endpoint detection and AV tools that typically spot embedded ransom note strings.
In this variant, the threat actor retains Yashma’s anti-recovery ability. After encryption, files are wiped, a single character ‘?’ is written, and then the file is deleted, which complicates the recovery.
