A new strain of ransomware has emerged as a concerning cyber threat, with researchers identifying its targets spanning China, Vietnam, Bulgaria, and English-speaking countries. Cisco Talos experts recently uncovered this strain, attributing its origin to Vietnam due to distinctive clues such as the threat actor’s GitHub account and communication schedule, which aligns with Vietnam’s time zone.
This malware is an evolved version of the Yashma ransomware, previously thought to be inactive since the release of a decryptor last year. The attacker’s ransom note mirrors that of the infamous WannaCry, potentially indicating a resurgence of such high-profile attacks.
In a marked departure from traditional ransomware deployment methods, this new variant utilizes a threat actor-controlled GitHub repository to distribute its ransom notes, effectively evading common detection mechanisms.
Furthermore, it retains Yashma’s formidable anti-recovery capabilities, which involve wiping and altering encrypted files to hinder recovery efforts by incident responders and forensic analysts. The sophistication of this ransomware is evidenced by its targeting of multiple language groups, suggesting a broad geographical focus. With the ransom amount doubling after three days and a Gmail address provided for communication, experts speculate that this operation might still be in its early stages.
Security researchers have been tracking a surge in ransomware strains in recent times, fueled primarily by the adoption of Ransomware-as-a-Service (RaaS). However, a substantial portion of these newly identified strains are found to be mere variations of previously known versions.
