Since June 4, 2023, an unidentified threat actor has been employing a Yashma ransomware variant to target entities in English-speaking countries, Bulgaria, China, and Vietnam.
Experts from Cisco Talos said on Monday that they have discovered a previously unknown threat actor – allegedly from Vietnam – conducting attacks that started as early as June 4.
New Yashma Ransomware
Yashma, initially documented by the BlackBerry research and intelligence team in May 2022, is essentially a rebranded version of the Chaos ransomware strain. Its appearance coincided with the leak of the Chaos ransomware builder in the wild, occurring just a month before Yashma’s emergence.
The ransom note bears a striking resemblance to the infamous WannaCry ransomware, likely to obscure the threat actor’s identity and hinder attribution efforts. Although the note provides a wallet address for payment, it omits specifying the amount.
The attacker’s ransom note closely imitates WannaCry, which gained worldwide attention in 2017 due to its high-profile attacks. The ransom note exists in multiple versions, including English, Bulgarian, Vietnamese, and Chinese.
“The company reported that the Cl0p ransomware group is actively exploiting zero-day vulnerabilities and has expanded its victim count by 9x year over year. Additionally, victims of multiple ransomware attacks were found to be more than 6x more likely to experience a second attack within three months of the initial incident.”
In this variant, the threat actor decided to retain Yashma’s anti-recovery capability. After encrypting a file, the ransomware erases the contents of the original unencrypted files, replaces them with a single character ‘?’, and then deletes the file. This technique adds difficulty for incident responders and forensic analysts attempting to recover the deleted files from the victim’s hard drive.
Multiple organizations monitoring ransomware attacks have observed a significant surge in the number of emerging strains.
On Monday, FortiGuard Labs reported substantial spikes in ransomware variant growth in recent years, mainly driven by the widespread adoption of Ransomware-as-a-Service (RaaS).
IOCs -New Yashma Ransomware