Wednesday, December 18, 2024
Follow us On Linkedin
HomeCyber Security NewsThreat Actors English-Speaking Countries with Customized Yashma Ransomware

Threat Actors English-Speaking Countries with Customized Yashma Ransomware

Cyber Security NewsRansomware

Published on

By Tushar Subhra
Threat Actors English-Speaking Countries with Customized Yashma Ransomware

API Security Audit

SIEM as a Service

An unidentified threat actor has deployed the Yashma ransomware variant since June 4, 2023, actively targeting English-speaking countries like:-

  • Bulgaria
  • China
  • Vietnam

While this new variant of Yashma ransomware has reemerged after being fixed last year since the release of a decryptor.

This operation was recently identified by the cybersecurity researchers at Cisco Talos, who linked this operation, with moderate confidence, to a probably Vietnamese-origin threat actor.

- Advertisement - SIEM as a Service

Threat Actor’s origin 

Talos highly believes the threat actor targets English-speaking countries due to ransomware notes on the ‘nguyenvietphat’ GitHub account. 

Besides this, the English version suggests the actual intent of the threat actor to target various geographic regions.

GitHub account name and email contact in ransom notes mimic Vietnamese organizations, implying the threat actor’s origin. The ransom note specifies 7-11 p.m. UTC+7 contact time, aligning with the time zone of Vietnam.

Ransom Note Mimics WannaCry Style

The ransom note of the attacker mimics WannaCry’s style, and the ransom gets doubled after three days. While for communication, the threat actor provides a Gmail address and lack of ransom amount, and Bitcoin in the note suggests that the operation is in the early stage.

Ransom notes samples (Source – Cisco Talos)

Once systems are encrypted, the victim’s wallpaper changes to a note of encryption. Yashma ransomware is a rebrand of Chaos ransomware from May 2022, and this new variant mostly retains the features of the original ransomware.

WannaCry style ransom encryption screen (Source – Cisco Talos)

The ransom note mimics the style of WannaCry ransomware, potentially aimed at confusing the targets and hiding the identity of the threat actor.

WannaCry style screen (Source – Cisco Talos)

However, the new variant downloads the ransom note from a threat actor’s GitHub repo instead of storing it within the ransomware.

This transformation evades the endpoint detection and AV tools that typically spot embedded ransom note strings.

In this variant, the threat actor retains Yashma’s anti-recovery ability. After encryption, files are wiped, a single character ‘?’ is written, and then the file is deleted, which complicates the recovery.

Moreover, it’s been observed by researchers a significant surge in the emergence of various ransomware strains.

Keep informed about the latest Cyber Security News by following us on GoogleNews, Linkedin, Twitter, and Facebook.

Tushar Subhra
Tushar Subhra
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

Cyber Security News

New VIPKeyLogger Via Weaponized Office Documenrs Steals Login Credentials

The VIPKeyLogger infostealer, exhibiting similarities to the Snake Keylogger, is actively circulating through phishing...
Cyber Security News

INTERPOL Urges to End ‘Pig Butchering’ & Replaces With “Romance Baiting”

INTERPOL has called for the term "romance baiting" to replace "pig butchering," a phrase...
Cyber Security News

New I2PRAT Malware Using encrypted peer-to-peer communication to Evade Detections

Cybersecurity experts are sounding the alarm over a new strain of malware dubbed "I2PRAT,"...
Cyber Security News

Earth Koshchei Employs RDP Relay, Rogue RDP server in Server Attacks

 A new cyber campaign by the advanced persistent threat (APT) group Earth Koshchei has...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

Register Now

More like this

Cyber Security News

New VIPKeyLogger Via Weaponized Office Documenrs Steals Login Credentials

The VIPKeyLogger infostealer, exhibiting similarities to the Snake Keylogger, is actively circulating through phishing...
Cyber Security News

INTERPOL Urges to End ‘Pig Butchering’ & Replaces With “Romance Baiting”

INTERPOL has called for the term "romance baiting" to replace "pig butchering," a phrase...
Cyber Security News

New I2PRAT Malware Using encrypted peer-to-peer communication to Evade Detections

Cybersecurity experts are sounding the alarm over a new strain of malware dubbed "I2PRAT,"...

GBHackers on Security is a top cybersecurity news platform, delivering up-to-date coverage on breaches, emerging threats, malware, vulnerabilities, and global cyber incidents.

Company

Trending

Categories

Copyright @ 2016 - 2024 GBHackers On Security - All Rights Reserved