Custom Yashma Ransomware Crashes Into the Scene

A new threat actor that appears to be of Vietnamese origin has emerged wielding a custom version of the Yashma ransomware that's poised to hit targets in various English-speaking countries, Bulgaria, China, and Vietnam.

Researchers from Cisco Talos discovered the as-yet-unknown actor deploying a variant of Yashma in a campaign characterized by uniquely evasive ways to store and deliver its ransom note that they believe began in early June, they revealed in a blog post published Aug. 7.

Yashma is a 32-bit executable written in .NET and a rebranded version of Chaos ransomware version 5. The variant deployed by the new actor maintains most of its original features, with the exception of a few notable modifications, one of which is a new way to store and deliver the ransom note, the researchers said. The note also has shades of the one used by the notorious WannaCry ransomware.

"Usually, ransomware stores the ransom note text as strings in the binary," Chetan Raghuprasad, a Cisco Talos cybersecurity researcher, wrote in the post. "However, this variant of Yashma executes an embedded batch file, which has the commands to download the ransom note from the actor-controlled GitHub repository."

This technique evades endpoint detection solutions and antivirus software, which typically detect embedded ransom note strings in the binary.

Further, the actor demands the ransom payment in Bitcoins to a wallet address and the fee is doubled if the victim fails to pay within three days, according to the researchers' analysis. Victims also can contact the actor at "[email protected]," one of several clues that point to the actor's origin as Vietnam.

The actor maintains a GitHub account as "nguyenvietphat," which spoofs a legitimate Vietnamese organization's name, and the note asks victims to contact them during a time that's convenient for Vietnam's time zone.

At the time of the researchers' analysis, the ransomware operation seems to be in its early stages, as there was no Bitcoin in the wallet and the note didn't specify an amount to be paid. However, the researchers found ransom notes written in English, Bulgarian, Vietnamese, simplified Chinese, and traditional Chinese in the actor's GitHub files, which indicates potential future targets.

Further, the ransom note text resembles the one used in the massive WannaCry ransomware campaign of 2017, potentially to hide the identity of the threat actor and throw investigators off the trail, the researchers said.

What's in, What's Out

Yashma first surfaced in May 2022 as a full-fledged ransomware module in the Chaos malware-builder, which itself emerged as a wiper from the criminal underground before morphing into a Swiss Army knife for hackers. Aside from how it presents its ransom note, the variant also has a few other differences to the principal version of Yashma.

One modification is how it establishes persistence on a machine. Earlier versions of Yashma ransomware established persistence in the Run registry key and by dropping a Windows shortcut file pointing to the ransomware executable path in the startup folder. The variant also does the former but then creates a ".url" bookmark file in the startup folder that points to the dropped executable located at "%AppData%\Roaming\svchost.exe," the researchers noted.

The variant also is notable for what it maintains from the original code, which is Yashma's anti-recovery capability that once it encrypts files, wipes the contents of the original unencrypted files, writes just one character — “?" — and then deletes the file, Raghuprasad said.

"This technique makes it more challenging for incident responders and forensic analysts to recover the deleted files from the victim's hard drive," he wrote in the post.

Defense Strategies

The researchers included a link to indicators of compromise so organizations can check their systems to see if they've been affected.

Organizations also can secure their networks from ransomware by using various secure endpoint, web appliance, and email solutions, the last of which are particularly important as ransomware often enters an enterprise system via a phishing or email based attack.

Network firewalls, malware analytics, and secure Internet gateways that block users from connecting to malicious elements can also help protect organizations from ransomware and other types of malware.