Multiple English-Speaking Countries Are the Targets of a New Yashma Ransomware Variant

August 22, 2023

Around June 4, 2023, an unidentified threat actor has been targeting different companies in English-speaking nations, Bulgaria, China, and Vietnam with a variation of the Yashma ransomware.

In a recent report, Cisco Talos traced the operation to a foe who was probably of Vietnamese descent with a reasonable degree of confidence.

Security expert Chetan Raghuprasad stated that “the threat actor uses an unusual technique to deliver the ransom note. Instead of including the ransom letter strings in the malware, they use an embedded batch file to retrieve it from the actor-controlled GitHub repository.”

Yashma is a renamed variant of another ransomware outbreak called Chaos. It was initially identified by the BlackBerry research and intelligence team in May 2022. The Chaos ransomware creator leaked in the wild a month before it appeared.

How the Ransomware Works?

The new Yashma ransomware works by first gaining access to a victim’s computer through a vulnerability in outdated software or through a phishing attack. Once the ransomware is on the victim’s computer, it encrypts all of the files on the computer using a strong encryption algorithm. The ransomware then displays a ransom note demanding a payment of 0.1 Bitcoin (BTC) in exchange for the decryption key.

The ransom note is delivered in a unique way. Instead of embedding the ransom note strings in the binary, the threat actor downloads the ransom note from the actor-controlled GitHub repository. This technique is designed to evade traditional detection methods that identify embedded ransom notes within the binary.

The ransomware also employs anti-recovery tactics, overwriting original unencrypted files with a single character ‘?’ and then deleting them. This makes it very difficult to recover files without paying the ransom.

Remediations:

Update your programme frequently.
Make use of multi-factor authentication and secure passwords.
Maintain frequent data backups.
Recognize the indicators of a ransomware assault.
If you think that you have been infected with ransomware, disconnect from the internet.
Get help from a security company.

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Multiple English-Speaking Countries Are the Targets of a New Yashma Ransomware Variant

Security Team

Related Posts

Chinese APT Gelsemium Targets Linux Systems with New WolfsBane Backdoor

Microsoft Launches Windows Resiliency Initiative to Boost Security and System Integrity

Chinese Hackers Exploit T-Mobile and Other U.S. Telecoms in Broader Espionage Campaign

Our Offices

Corporate Office (HO):

UK Office:

Registered Office (Delhi):

Noida Office:

Phone:

Email

Click To Download

Download CyberSRC Services & Portfolio & Datasheets

Download Case Studies

Download Company Brochure