Researchers recently uncovered a multilingual attack campaign using a Yashma ransomware variant against organizations globally. The campaign, allegedly launched by Vietnamese threat actors, is believed to have commenced in the first week of June. Yashma was first spotted as a variant of the Chaos ransomware strain.
About the campaign
Security experts at Cisco Talos identified a previously unknown threat actor orchestrating a series of cyberattacks across China, Vietnam, Bulgaria, and English-speaking nations.
- Upon infecting victim systems, the malware encrypts files and alters the wallpaper with a notification claiming the encryption of all files.
- The ransom demand doubles if victims fail to pay within three days, and a Gmail address is offered for communication.
Efficacy of the new Yashma variant
Notably, this new strain of Yashma ransomware employs a modified approach to storing the ransom note.
- Unlike previous iterations where it would embed the ransom note strings in the binary, it is now downloaded from a GitHub repository controlled by the threat actor.
- This tweak aims to evade traditional detection methods that identify embedded ransom notes within the binary.
- Additionally, the malware employs anti-recovery tactics, overwriting original unencrypted files with a single character ‘?’ and then deleting them.
- This technique complicates the retrieval of deleted files by incident responders and forensic analysts.
Attribution
- The threat actor's GitHub account and email contact in the ransom notes appear to impersonate a legitimate Vietnamese organization, potentially indicating Vietnamese origins.
- The ransom note specifies communication hours that align with Vietnam's time zone (UTC+7).
- Besides, the ransom note's eerie resemblance to WannaCry adds to the intrigue, suggesting an effort to cloud attribution.
Final words
Cybercriminals targeting multiple countries and languages suggest a deliberate strategy to maximize the impact of attacks. While the growth in ransomware variants has been substantial, it's important to recognize that a significant portion of these new strains is actually variations of previously known ransomware, underscoring the need for comprehensive threat intelligence and response strategies. Similarly, Yashma has a lineage too. Thus, security teams are advised to take the right measures and mitigate the threat.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/3a87_shutterstock_1621501870.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/c020_shutterstock_2187312389.jpeg)
