Yashma Ransomware

Yashma ransomware is a malicious software that was first observed in May 2022 as a rebranded version of the Chaos ransomware builder V5, which leaked in April 2022. It infects systems through suspicious downloads, emails, or websites and can steal personal information, disrupt operations, or hold data hostage for ransom. Cybersecurity researchers have noted an uptick in new strains originating from the Yashma ransomware builder, with earlier versions establishing persistence in the Run registry key and by dropping a Windows shortcut file pointing to the ransomware executable path in the startup folder. A new threat actor, seemingly of Vietnamese origin, has been identified using a custom variant of the Yashma ransomware. This group has been active since at least June 4, 2023, targeting victims in English-speaking countries, Bulgaria, China, and Vietnam. The operation demonstrates similarities to the infamous WannaCry ransomware, indicating a potential evolution in the malware's capabilities. The gang uses a Yashma ransomware variant that downloads a ransom note from an account named “nguyenvietphat” on Github, successfully evading some endpoint detection and antivirus software. Despite the release of a decryptor that addressed earlier versions of the Yashma ransomware, the threat persists due to the emergence of this new variant. The ongoing attack mimics characteristics of WannaCry, suggesting a deliberate strategy to target multiple geographic areas. This development underscores the need for continued vigilance against evolving cyber threats, especially as these actors demonstrate increasing sophistication in their methods.