Suspected Vietnamese hacker targets Chinese, Bulgarian organizations with new ransomware

Researchers believe a new strain of ransomware is being used to target organizations in China, Vietnam, Bulgaria and several other English-speaking countries.

Experts from Cisco Talos said on Monday that they have discovered a previously unknown threat actor – allegedly from Vietnam – conducting attacks that started as early as June 4.

The malware is a variant of the Yashma ransomware – a strain that has been largely defunct since a decryptor was released last year.

“Talos assesses with high confidence that this threat actor is targeting victims in English-speaking countries, Bulgaria, China and Vietnam, as the actor’s GitHub account, ‘nguyenvietphat,’ has ransomware notes written in these countries’ languages. The presence of an English version could indicate the actor intends to target a wide range of geographic areas,” the researchers said in a report.

“The threat actor may be of Vietnamese origin because their GitHub account name and email contact on the ransomware notes spoofs a legitimate Vietnamese organization’s name. The ransom note also asks victims to contact them between 7 and 11 p.m. UTC+7, which overlaps with Vietnam’s time zone.”

The attacker’s ransom note mimics that of WannaCry, which caused global outcry in 2017 after several headline-grabbing attacks. Versions of the ransom note come in English, Bulgarian, Vietnamese and Chinese.

The ransom amount doubles if victims do not pay within three days and the gang provides a Gmail address to communicate. No ransom amount was listed and there is no Bitcoin in the account shared in the note, indicating that the operation “might still be in a nascent stage.”

After victim systems are encrypted, the victim’s wallpaper is changed to a note claiming all files have been encrypted.

Cisco Talos noted that Yashma ransomware is itself a rebranded version of the Chaos ransomware that first appeared in May 2022. Based on an in-depth investigation of Yashma’s features by security researchers at BlackBerry last year, Cisco Talos said the new variant has largely kept most of the original ransomware intact.

One change did stand out to Cisco Talos. Instead of storing the ransom note in the ransomware, this new variant downloads the ransom note from a threat actor-controlled GitHub repository.

“This modification evades endpoint detection solutions and anti-virus software, which usually detect embedded ransom note strings in the binary,” the researchers said.

“One notable feature the threat actor chose to keep in this variant is Yashma’s anti-recovery capability. After encrypting a file, the ransomware wipes the contents of the original unencrypted files, writes a single character ‘?’ and then deletes the file. This technique makes it more challenging for incident responders and forensic analysts to recover the deleted files from the victim’s hard drive.”

Several organizations tracking ransomware attacks have noted that there has been a massive increase in the number of strains emerging.

FortiGuard Labs said on Monday that it has “documented substantial spikes in ransomware variant growth in recent years, largely fueled by the adoption of Ransomware-as-a-Service (RaaS).”

Recorded Future ransomware expert Allan Liska recently noted that most of the “new” ransomware strains are simply variants of previously-released versions. Data compiled by his team showed that fewer than 25% of 328 "new" ransomware variants are actually new.