An unknown threat actor, believed to be operating out of Vietnam, has been identified carrying out a ransomware campaign using a variant of the Yashma ransomware that bears similarities to the infamous WannaCry ransomware. This campaign was first detected on or before June 4 and has caught the attention of cybersecurity experts at Cisco Talos.
In a recent advisory released by Cisco Talos, it was revealed that this particular ransomware operation has a unique method of delivering ransom notes. Instead of embedding the ransom note directly into the malware binary, the attackers are using a batch file to access the ransom note from their GitHub repository. This technique helps them evade traditional endpoint security measures, making it more challenging for security professionals to detect and mitigate the threat.
The analysis conducted by Talos suggests that the threat actor is targeting English-speaking countries, Bulgaria, China, and Vietnam. The GitHub account associated with the attacker contains ransom notes in languages commonly spoken in these regions. Additionally, there are clues that point to the threat actor being of Vietnamese origin. The details used in the GitHub account’s name and email mimic those of a legitimate Vietnamese organization, and the ransom note specifies contact hours in UTC+7, which aligns with Vietnam’s time zone.
Interestingly, the attackers seem to show a level of empathy towards Vietnamese victims, starting their ransom note with an apologetic tone. This linguistic nuance could indicate that the threat actors themselves are Vietnamese.
The ransomware variant being used in this campaign is a modified version of Yashma, compiled by the threat actor on June 4, 2023. This .NET-based malware includes Yashma’s anti-recovery feature, which deletes unencrypted files after encryption to hinder recovery efforts.
Currently, the attackers are demanding ransom payments in Bitcoin to a specified wallet address. If the victim fails to pay within three days, the ransom amount is doubled. However, as of now, there have been no observed Bitcoin transactions in the wallet, and the exact ransom amount remains unspecified, suggesting that this campaign is still in its early stages.
For those looking for Indicators of Compromise (IoC) related to this threat, Cisco Talos has provided a repository on GitHub where this information can be found. Stay vigilant and keep an eye out for any updates on this evolving ransomware campaign.