October 2, 2023

Researchers have uncovered a multilingual attack campaign using a Yashma ransomware variant against organizations globally. The campaign, allegedly launched by Vietnamese threat actors, is believed to have commenced in the first week of June. Yashma was first spotted as a variant of the Chaos ransomware strain.

Researchers identified a previously unknown threat actor orchestrating a series of cyberattacks across China, Vietnam, Bulgaria, and English-speaking nations.

Once after infecting victim systems, the malware encrypts files and alters the wallpaper with a notification claiming the encryption of all files. The ransom demand doubles if victims fail to pay within three days, and a Gmail address is offered for communication.


The new strain of Yashma ransomware employs a modified approach to storing the ransom note that gets downloaded from GitHub repository controlled by the threat actor.This is to evade traditional detection methods that identify embedded ransom notes within the binary. 

The malware employs anti-recovery tactics, overwriting original unencrypted files with a single character ‘?’ and then deleting them. This technique complicates the retrieval of deleted files by incident responders and forensic analysts.

The threat actor’s GitHub account and email contact in the ransom notes appear to impersonate a legitimate Vietnamese organization, potentially indicating Vietnamese origins.


The ransom note specifies communication hours that align with Vietnam’s time zone (UTC+7).After encryption, the Yashma ransomware variant sets the wallpaper on the victim’s machine, as seen in the image below. It seems the operator downloaded this picture from www[.]FXXZ[.]com and embedded it in the Yashma variant binary. The wallpaper set by the Yashma variant in the victim’s machine also mimics the WannaCry ransomware.

The growth in ransomware variants has been substantial, it’s important to recognize that a significant portion of these new strains is actually variations of previously known ransomware, underscoring the need for comprehensive threat intelligence and response strategies. Similarly, Yashma has the same characteristics too. Security teams are advised to take the right measures and mitigate the threat.

Indicators of Compromise

  • 3ea6df18492d21811421659c4cf9b88e64c316f2bef8a19766b0c79012476cac
  • nguyenvietphat[.]n[at]gmail[.]com
  • hxxps[://]github[.]com/nguyenvietphat/Ransomware[.]git

Leave a Reply

%d bloggers like this: