Suspected Vietnamese hacker targets Chinese, Bulgarian organizations with new ransomware

Home/Compromised, cyberattack, Darknet, Data Breach, Evilproxy, Exploitation, Internet Security, IOC's, malicious cyber actors, Ransomware, Security Advisory, Security Update/Suspected Vietnamese hacker targets Chinese, Bulgarian organizations with new ransomware

Suspected Vietnamese hacker targets Chinese, Bulgarian organizations with new ransomware

Since June 4, 2023, an unidentified threat actor has been employing a Yashma ransomware variant to target entities in English-speaking countries, Bulgaria, China, and Vietnam.

Experts from Cisco Talos said on Monday that they have discovered a previously unknown threat actor – allegedly from Vietnam – conducting attacks that started as early as June 4.

New Yashma Ransomware 

Yashma, initially documented by the BlackBerry research and intelligence team in May 2022, is essentially a rebranded version of the Chaos ransomware strain. Its appearance coincided with the leak of the Chaos ransomware builder in the wild, occurring just a month before Yashma’s emergence.

The ransom note bears a striking resemblance to the infamous WannaCry ransomware, likely to obscure the threat actor’s identity and hinder attribution efforts. Although the note provides a wallet address for payment, it omits specifying the amount.

The attacker’s ransom note closely imitates WannaCry, which gained worldwide attention in 2017 due to its high-profile attacks. The ransom note exists in multiple versions, including English, Bulgarian, Vietnamese, and Chinese.

“The company reported that the Cl0p ransomware group is actively exploiting zero-day vulnerabilities and has expanded its victim count by 9x year over year. Additionally, victims of multiple ransomware attacks were found to be more than 6x more likely to experience a second attack within three months of the initial incident.”

In this variant, the threat actor decided to retain Yashma’s anti-recovery capability. After encrypting a file, the ransomware erases the contents of the original unencrypted files, replaces them with a single character ‘?’, and then deletes the file. This technique adds difficulty for incident responders and forensic analysts attempting to recover the deleted files from the victim’s hard drive.

Multiple organizations monitoring ransomware attacks have observed a significant surge in the number of emerging strains.

On Monday, FortiGuard Labs reported substantial spikes in ransomware variant growth in recent years, mainly driven by the widespread adoption of Ransomware-as-a-Service (RaaS).

IOCs -New Yashma Ransomware 

3ea6df18492d21811421659c4cf9b88e64c316f2bef8a19766b0c79012476cac
nguyenvietphat[.]n[at]gmail[.]com
hxxps[://]github[.]com/nguyenvietphat/Ransomware[.]git

‍Follow Us on: Twitter, InstagramFacebook to get the latest security news!

Post Views: 199
By | 2023-08-10T07:22:44+05:30 August 8th, 2023|Compromised, cyberattack, Darknet, Data Breach, Evilproxy, Exploitation, Internet Security, IOC's, malicious cyber actors, Ransomware, Security Advisory, Security Update|

About the Author:

FirstHackersNews- Identifies Security

Related Posts

Leave A Comment

Subscribe to our newsletter to receive security tips everday!