A previously unknown threat actor, believed to be of Vietnamese origin, has emerged with a customized version of the Yashma ransomware. This actor is preparing to target various English-speaking countries, Bulgaria, China, and Vietnam, according to Cisco Talos researchers.
The researchers discovered this new threat actor in early June and have been monitoring their activities ever since. They have observed unique and evasive methods employed by the actor to store and deliver the ransom note. Yashma is a 32-bit executable written in .NET and is essentially a rebranded version of Chaos ransomware version 5. However, the actor has made a few significant modifications, including a novel approach to storing and delivering the ransom note. Instead of embedding the ransom note in the binary, the actor executes an embedded batch file that downloads the ransom note from their own GitHub repository. This technique effectively evades endpoint detection solutions and antivirus software that typically detect embedded ransom note strings in the binary.
Furthermore, the researchers have analyzed the actor’s ransom demands. The actor requires the payment of the ransom in Bitcoins to a specified wallet address. If the victim fails to pay within three days, the fee is doubled. The researchers have also identified clues pointing to the actor’s origin in Vietnam. Victims can contact the actor at the provided email address, which contains elements that suggest a Vietnamese origin.
The threat actor maintains a GitHub account under the name “nguyenvietphat,” imitating a legitimate Vietnamese organization’s name. The ransom note instructs victims to contact them during a time that aligns with Vietnam’s time zone, further indicating the actor’s origin. It is worth noting that at the time of the researchers’ analysis, the ransomware operation seemed to be in its early stages. The ransomware’s wallet did not contain any Bitcoin, and the ransom note did not specify an amount to be paid. However, the researchers found ransom notes written in multiple languages, including English, Bulgarian, Vietnamese, simplified Chinese, and traditional Chinese, suggesting potential future targets.
In addition to the unique delivery method and the actor’s origin, the researchers have also observed similarities between the ransom note used by this threat actor and the one used in the infamous WannaCry ransomware campaign of 2017. This resemblance could serve as a diversion tactic to throw investigators off the trail and hide the identity of the threat actor.
Aside from the modifications made to the ransom note delivery, the variant of Yashma ransomware deployed by this actor has other noteworthy features. It establishes persistence on infected machines by creating a “.url” bookmark file in the startup folder, pointing to the dropped executable located at “%AppData%\Roaming\svchost.exe.” This variant also incorporates Yashma’s anti-recovery capability. After encrypting files, it wipes the contents of the original unencrypted files and replaces them with a single character, making it difficult for incident responders and forensic analysts to recover the deleted files.
To defend against this new threat actor and ransomware in general, organizations can take several measures. Cisco Talos researchers have provided indicators of compromise that organizations can utilize to check their systems for potential infection. Additionally, organizations should employ secure endpoint solutions, web appliances, and email security solutions. Email security is particularly crucial as many ransomware attacks originate from phishing or email-based attacks. Network firewalls, malware analytics, and secure Internet gateways can also help protect organizations from ransomware and other forms of malware.
In conclusion, a new threat actor originating in Vietnam has emerged, wielding a modified version of the Yashma ransomware. Their unique approach to storing and delivering the ransom note, as well as their ransom demands and diversion tactics, set them apart from previous iterations of Yashma. Organizations need to stay vigilant and implement comprehensive security measures to protect against this evolving threat landscape.