Multiple English-Speaking Countries Are the Targets of a New Yashma Ransomware Variant

Around June 4, 2023, an unidentified threat actor has been targeting different companies in English-speaking nations, Bulgaria, China, and Vietnam with a variation of the Yashma ransomware.

In a recent report, Cisco Talos traced the operation to a foe who was probably of Vietnamese descent with a reasonable degree of confidence.

Security expert Chetan Raghuprasad stated that “the threat actor uses an unusual technique to deliver the ransom note. Instead of including the ransom letter strings in the malware, they use an embedded batch file to retrieve it from the actor-controlled GitHub repository.”

Yashma is a renamed variant of another ransomware outbreak called Chaos. It was initially identified by the BlackBerry research and intelligence team in May 2022. The Chaos ransomware creator leaked in the wild a month before it appeared.

 

How the Ransomware Works?

The new Yashma ransomware works by first gaining access to a victim’s computer through a vulnerability in outdated software or through a phishing attack. Once the ransomware is on the victim’s computer, it encrypts all of the files on the computer using a strong encryption algorithm. The ransomware then displays a ransom note demanding a payment of 0.1 Bitcoin (BTC) in exchange for the decryption key.

The ransom note is delivered in a unique way. Instead of embedding the ransom note strings in the binary, the threat actor downloads the ransom note from the actor-controlled GitHub repository. This technique is designed to evade traditional detection methods that identify embedded ransom notes within the binary.

The ransomware also employs anti-recovery tactics, overwriting original unencrypted files with a single character ‘?’ and then deleting them. This makes it very difficult to recover files without paying the ransom.

Remediations:

  • Update your programme frequently.
  • Make use of multi-factor authentication and secure passwords.
  • Maintain frequent data backups.
  • Recognize the indicators of a ransomware assault.
  • If you think that you have been infected with ransomware, disconnect from the internet.
  • Get help from a security company.