An unknown threat actor, believed to be operating from Vietnam, has recently launched a ransomware campaign using a variant of the Yashma ransomware, reminiscent of the notorious WannaCry attack. This campaign, which began no later than June 4, has caught the attention of cybersecurity experts at Cisco Talos, who have highlighted a unique aspect of the operation.
Unlike typical ransomware attacks, where ransom notes are embedded within the malware itself, this attacker has taken a different approach. Instead, they have created a batch file that retrieves the ransom note from their GitHub repository. This method helps them evade traditional endpoint security measures, making it more challenging to detect and mitigate the threat.
Cisco Talos’ analysis has revealed that the threat actor is specifically targeting English-speaking countries, as well as Bulgaria, China, and Vietnam. The GitHub account associated with the attacker contains ransom notes in languages commonly spoken in these regions. Additionally, certain clues point to a Vietnamese origin for the threat actor, such as the use of a Vietnamese organization’s details in the GitHub account’s name and email, as well as specifying contact hours in Vietnam’s time zone (UTC+7) in the ransom note.
Interestingly, the attackers have shown a level of sensitivity towards Vietnamese victims, starting their ransom note with an apologetic tone. This subtle linguistic nuance suggests that the threat actors may have ties to Vietnam.
The ransomware variant utilized in this campaign is a customized version of Yashma, compiled on June 4, 2023. This malware, based on .NET, includes anti-recovery features that delete unencrypted files after encryption, hindering recovery efforts.
Currently, the attackers are demanding ransom payments in Bitcoin to a specified wallet address, with the ransom amount doubling if payment is not made within three days. However, as of now, no Bitcoin has been observed in the wallet, and the exact ransom amount remains undisclosed, indicating that the campaign is still in its early stages.
For more information and Indicators of Compromise (IoC) related to this threat, visit Cisco Talos’ GitHub repository. Stay vigilant and ensure that your systems are protected against such ransomware attacks.