Custom Yashma Ransomware Crashes Into the Scene

  /     /     /  
Publicated : 23/11/2024   Category : security


Custom Yashma Ransomware Crashes Into the Scene


The threat actor is targeting organizations in Bulgaria, China, Vietnam, and various English-speaking nations.



A new threat actor that appears to be of Vietnamese origin has emerged wielding a custom version of the Yashma ransomware thats poised to hit targets in various English-speaking countries, Bulgaria, China, and Vietnam.
Researchers from Cisco Talos discovered the as-yet-unknown actor deploying a variant of Yashma in a campaign characterized by uniquely evasive ways to store and deliver its ransom note that they believe began in early June, they revealed
in a blog post
published Aug. 7.
Yashma is a 32-bit executable written in .NET and a rebranded version of Chaos ransomware version 5. The variant deployed by the new actor maintains most of its original features, with the exception of a few notable modifications, one of which is a new way to store and deliver the ransom note, the researchers said. The note also has shades of the one used by the notorious
WannaCry
ransomware.
Usually, ransomware stores the ransom note text as strings in the binary, Chetan Raghuprasad, a Cisco Talos cybersecurity researcher, wrote in the post. However, this variant of Yashma executes an embedded batch file, which has the commands to download the ransom note from the actor-controlled GitHub repository.
This technique evades endpoint detection solutions and antivirus software, which typically detect embedded ransom note strings in the binary.
Further, the actor demands the ransom payment in Bitcoins to a wallet address and the fee is doubled if the victim fails to pay within three days, according to the researchers analysis. Victims also can contact the actor at [email protected], one of several clues that point to the actors origin as Vietnam.
The actor maintains a GitHub account as nguyenvietphat, which spoofs a legitimate Vietnamese organizations name, and the note asks victims to contact them during a time thats convenient for Vietnams time zone.
At the time of the researchers analysis, the ransomware operation seems to be in its early stages, as there was no Bitcoin in the wallet and the note didnt specify an amount to be paid. However, the researchers found ransom notes written in English, Bulgarian, Vietnamese, simplified Chinese, and traditional Chinese in the actors GitHub files, which indicates potential future targets.
Further, the ransom note text resembles the one used in the massive
WannaCry
ransomware campaign of 2017, potentially to hide the identity of the threat actor and throw investigators off the trail, the researchers said.
Yashma first surfaced in May 2022 as a full-fledged ransomware module in the
Chaos malware-builder
, which itself emerged as a wiper from the criminal underground before morphing into a Swiss Army knife for hackers. Aside from how it presents its ransom note, the variant also has a few other differences to the principal version of Yashma.
One modification is how it establishes persistence on a machine. Earlier versions of Yashma ransomware established persistence in the Run registry key and by dropping a Windows shortcut file pointing to the ransomware executable path in the startup folder. The variant also does the former but then creates a .url bookmark file in the startup folder that points to the dropped executable located at %AppData%Roamingsvchost.exe, the researchers noted.
The variant also is notable for what it maintains from the original code, which is Yashmas anti-recovery capability that once it encrypts files, wipes the contents of the original unencrypted files, writes just one character — “? — and then deletes the file, Raghuprasad said.
This technique makes it more challenging for incident responders and forensic analysts to recover the deleted files from the victims hard drive, he wrote in the post.
The researchers included
a link
to indicators of compromise so organizations can check their systems to see if theyve been affected.
Organizations also can secure their networks from
ransomware
by using various secure endpoint, web appliance, and email solutions, the last of which are particularly important as ransomware often enters an enterprise system via a phishing or email based attack.
Network firewalls, malware analytics, and secure Internet gateways that block users from connecting to malicious elements can also help protect organizations from ransomware and other types of malware.

Last News

▸ Scan suggests Heartbleed patches may not have been successful. ◂
Discovered: 23/12/2024
Category: security

▸ IoT Devices on Average Have 25 Vulnerabilities ◂
Discovered: 23/12/2024
Category: security

▸ DHS-funded SWAMP scans code for bugs. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Custom Yashma Ransomware Crashes Into the Scene