New Yashma Ransomware Group Targeting Numerous Countries Speaking English

In a disconcerting development, an unidentified threat actor has unleashed a fresh variant of the Yashma ransomware, targeting entities across English-speaking nations, Bulgaria, China, and Vietnam. This nefarious campaign, ongoing since June 4, 2023, has raised concerns due to its unique delivery method and potential ties to a Vietnamese adversary, as revealed by Cisco Talos, a respected cybersecurity research group. This novel delivery method involves fetching the ransom note from a GitHub repository controlled by the evil actor through the execution of an embedded batch file. This departure from traditional methods not only complicates detection but also underscores the ever-evolving tactics of cybercriminals.

This new Yashma variant employs an unconventional technique to distribute its ransom note. Instead of embedding the ransom note within the binary, the malicious actors use an embedded batch file to retrieve it from their controlled GitHub repository. Chetan Raghuprasad, a security researcher, has underscored this distinct approach, underlining the ingenuity and sophistication these cybercriminals display.

Security analysts who have studied this campaign extensively have assigned moderate confidence to attribute it to an adversary of likely Vietnamese origin. The choice of tactics suggests a level of sophistication beyond typical ransomware deployments. Instead of incorporating ransom note strings directly into the malware binary, the threat actor has opted for a dynamic approach, sourcing the note externally from their GitHub repository. This unorthodox technique thwarts conventional detection mechanisms scrutinizing embedded ransom notes within binaries.

Originating as a rebranded version of the Chaos ransomware strain, Yashma was initially brought to light by a research and intelligence team in May 2022. Intriguingly, the Chaos ransomware builder had surfaced a month prior, potentially contributing to Yashma’s emergence. This incident underscores the peril posed by the leak of ransomware source codes and builders, which has facilitated the proliferation of diverse ransomware variants and, consequently, an upsurge in cyberattacks.

Notably, the ransom note associated with this Yashma variant bears striking similarities to the infamous WannaCry ransomware, a potential attempt to obfuscate the threat actor’s identity and hinder attribution efforts. This stylistic resemblance appears strategic, aiming to obfuscate the identity of the threat actor and complicate attribution efforts. While the note provides a wallet address for the payment, it intriguingly omits any mention of the demanded amount, signaling the calculated tactics deployed to maximize victim confusion and insecurity.

This alarming development coincides with an alarming surge in ransomware attacks. Malwarebytes has recorded an astonishing 1,900 incidents within the past year across the U.S., Germany, France, and the U.K. The driving force behind this wave is the Cl0p group, which has significantly harnessed zero-day vulnerabilities to amplify its attacks. The findings corroborate this trend, revealing a 143% increase in ransomware victims during the first quarter of 2023 compared to the previous year, propelled by exploiting zero-day and one-day security flaws.

In this rapidly evolving threat landscape, the tactics employed by cybercriminals are becoming more sophisticated. Trend Micro recently exposed a ransomware attack orchestrated by the TargetCompany group, using an undetectable obfuscator engine named BatCloak to infiltrate vulnerable systems with remote access trojans such as Remcos RAT. This allows them to maintain a covert presence on compromised networks. As these attackers refine their methods, the cybersecurity community must remain vigilant and proactive to counter these escalating threats. The emergence of a new ransomware group, colloquially known as TargetCompany (or Mallox, Xollam), has been observed. This group employs an undetectable obfuscator engine, BatCloak, to deploy a range of remote access trojans, including the notorious Remcos RAT. This innovative approach hampers traditional defense mechanisms, extending the threat of ransomware to a new level of stealth and sophistication.

The rise of customized ransomware variants produced through user-friendly builders, the evolution of established ransomware groups, and the utilization of advanced obfuscation techniques all highlight the dire need for enhanced security measures. The emergence of a novel Yashma ransomware variant heralds a troubling escalation in the ransomware landscape. Adopting unconventional delivery methods and strategic note design highlights the dynamic nature of cyber threats. Combined with the proliferation of zero-day vulnerabilities, these developments pose grave challenges to cybersecurity professionals and organizations. As ransomware attacks evolve, proactive defense measures, threat intelligence sharing, and international collaboration remain critical to counteracting this evolving menace.

At SpearTip, our certified engineers work continuously at our 24/7/365 Security Operations Center, monitoring companies’ data networks for potential ransomware threats. Our remediation teamwork is used to restore companies’ operations, isolate malware to reclaim their networks and recover business-critical assets. Our ShadowSpear Platform, an integrable managed detection and response tool, exposes sophisticated unknown and advanced threats with comprehensive insights through unparalleled data normalization and visualizations.

If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.