An unidentified threat actor, reportedly originating from Vietnam, has been observed engaging in a ransomware campaign that commenced no later than June 4 and employing a variant of the Yashma ransomware, showcasing similarities to the infamous WannaCry ransomware.
According to a new advisory published by Cisco Talos on Monday, what sets this operation apart is the novel approach to delivering ransom notes.
Instead of embedding ransom note strings within the malware binary, the attackers execute a batch file to retrieve the ransom note from their GitHub repository. This tactic provides a level of evasion against traditional endpoint security measures.
Talos’ analysis also indicated that the threat actor appears to target English-speaking countries, Bulgaria, China and Vietnam. The GitHub account linked to the attacker features ransom notes in languages associated with these regions.
Furthermore, clues suggest a Vietnamese origin for the threat actor. The GitHub account’s name and email contact mimic a legitimate Vietnamese organization’s details, and the ransom note specifies contact hours in UTC+7, coinciding with Vietnam’s time zone.
The attackers also exhibited a heightened sensitivity towards Vietnamese victims, initiating their ransom note with an apologetic tone. This subtle linguistic variation might point to the attackers being Vietnamese.
The ransomware variant employed is a customized version of Yashma, with the actor compiling it on June 4, 2023. This .NET-based malware retains Yashma’s anti-recovery capability, erasing unencrypted files after encryption to impede recovery efforts.
Read more on Yashma: Emsisoft Releases Free Decryptor For AstraLocker and Yashma Ransomware
At present, the attackers demand ransom payments in Bitcoin to an identified wallet address and double the ransomware price if the victim fails to pay within three days.
However, no Bitcoin have been observed in the wallet yet, and the ransom amount remains unspecified, possibly indicating the campaign’s early stages.
Indicators of Compromise (IoC) associated with this threat can be found on Cisco Talos’ GitHub repository.