HQ/EMEAFind out how we can help your business
A newly discovered multilingual cybercriminal operation leverages a Yashma ransomware variant against numerous entities worldwide. Researchers believe that Vietnamese threat actors initiated the campaign a few months ago after an analysis discovered similar campaigns that use different languages. Moreover, analysts first identified the new strain of Yashma as a Chaos ransomware variant.
Based on reports, the alleged Vietnamese attackers have executed malicious campaigns against multiple countries, such as Bulgaria, China, Vietnam, and English-speaking countries.
The Yashma ransomware operators encrypt files while notifying victims through wallpaper changes.
The attackers use Yashma ransomware to encrypt files and modify the device’s wallpaper to notify the victims that the attack encrypted all its files. Additionally, the ransom demand of the threat actors doubles if the victims do not provide the ransom within three days. The actors gave a Gmail address to the victim so they could negotiate.
Researchers noted that the new Yashma ransomware strain adopts a modified tactic to store the ransom note. Unlike its previous version, the new variant now downloads from an attacker-controlled GitHub repository, where it would first attach the ransom note strings in the binary.
The primary objective of this new modification is to bypass standard detection protocols that spot attached ransom notes within the binary. Furthermore, the malware developers adopted anti-recovery tactics that overwrite unencrypted files with a single character ‘?’ and then delete them.
Threat analysts explained that the tactic complicates their and incident responders’ recovery of deleted files.
The researchers claimed the attack originated in Vietnam since the attackers’ GitHub account and email contact in the ransom note impersonated a legitimate Vietnam-based company. Lastly, the ransom note’s communication hours align with the Vietnamese time zone, indicating that the hackers are executing the transaction within the territory.
Malicious attackers that use multiple languages to target numerous countries imply that they want to maximise their scope of targets. Therefore, organisations should have comprehensive threat intelligence and response strategies to keep up with such sophisticated threat campaigns.
Security teams and companies should have the proper mitigation and response capabilities to address such issues soon.
