Yashma Ransomware Resurfaces Targeting Multiple Nations
New Yashma Strain Spreads Across the Globe
Overt Operator
August 08, 2023
Researchers are alarmed after discovering a new strain of ransomware wreaking havoc in China, Vietnam, Bulgaria, and several English-speaking countries. On Monday, Cisco Talos' experts unveiled the details of this previously unidentified threat, allegedly originating from Vietnam, and conducting targeted attacks since June 4.
The ransomware is a derivative of the Yashma strain, which had largely fallen out of use since the release of a decryptor last year.
According to a Cisco Talos report on August 7, the threat actor, possibly of Vietnamese origin, is targeting victims in English-speaking countries, Bulgaria, China, and Vietnam. This conclusion comes from the ransomware notes found on the actor's GitHub account, 'nguyenvietphat,' which are written in the languages of these countries.
"The threat actor may be of Vietnamese origin because their GitHub account name and email contact on the ransomware notes spoofs a legitimate Vietnamese organization’s name," the report added, further explaining that the ransom note requested victims to contact them within Vietnam's time zone.
This newest wave of ransomware follows the pattern of the infamous WannaCry attacks in 2017. The ransom notes are provided in English, Bulgarian, Vietnamese, and Chinese. If the ransom is not paid within three days, the amount doubles. Although no specific ransom amount was listed, and no Bitcoin was found in the shared account, Cisco Talos suggests that the operation might still be in its early stages.
The newly identified strain continues the sinister legacy of Yashma, a rebranded version of Chaos ransomware, first detected in May 2022. An in-depth investigation reveals that most of the original ransomware's features have been retained, with a few modifications.
One significant change that caught Cisco Talos' attention is that the ransom note is now downloaded from a threat actor-controlled GitHub repository, instead of being stored in the ransomware itself.
"This modification evades endpoint detection solutions and anti-virus software, which usually detect embedded ransom note strings in the binary," the researchers noted.
The persistent anti-recovery capability of Yashma has been maintained, ensuring that the deleted files become unrecoverable by encrypting and wiping the original unencrypted files. This technique adds an extra layer of complexity for forensic analysts trying to recover the lost data.
Other cybersecurity organizations such as FortiGuard Labs have corroborated the findings, reporting substantial spikes in ransomware variant growth, propelled by the adoption of Ransomware-as-a-Service (RaaS).