Cisco Talos tracks an ongoing ransomware operation tied to a likely Vietnamese actor, using a customized Yashma variant that mimics WannaCry across multiple regions. The group downloads ransom notes from an actor-controlled GitHub repo via an embedded batch file and has not yet monetized the campaign in a visible way. #Yashma #WannaCry #nguyenvietphat #Vietnam #Bulgaria #China #Talos #ChaosRansomware
Keypoints
- Unknown ransomware actor, likely of Vietnamese origin, active since at least June 4, 2023.
- Operates a customized Yashma variant that mirrors WannaCry characteristics to broaden geographic targeting.
- Ransom note download is performed via an embedded batch file that pulls notes from a GitHub repository controlled by the actor.
- Targets English-speaking countries, Bulgaria, China, and Vietnam, inferred from multilingual ransom notes and timing cues.
- The actor’s GitHub alias nguyenvietphat and language choices suggest a Vietnamese origin; ransom notes include language-specific phrases and time window alignment to UTC+7.
- Campaign began around June 4, 2023, with notes in English, Bulgarian, Vietnamese, Simplified Chinese and Traditional Chinese.
MITRE Techniques
- [T1059.003] Windows Command Shell – The malware uses an embedded batch file to download the ransom note from the actor-controlled GitHub repository. Quote: ‘they download the ransom note from the actor-controlled GitHub repository by executing an embedded batch file.’
- [T1105] Ingress Tool Transfer – The ransom note is downloaded from the GitHub repository as part of the infection/encryption setup. Quote: ‘download the ransom note from the actor-controlled GitHub repository’
- [T1547.001] Boot or Logon Autostart Execution – The variant establishes persistence in the Run registry key and creates a startup bookmark (.url) pointing to the dropped executable. Quote: ‘established persistence in the Run registry key… .url bookmark file in the startup folder that points to the dropped executable located at “%AppData%Roamingsvchost.exe”’
- [T1490] Inhibit System Recovery – The ransomware implements anti-recovery by wiping original files, writing a single character, and deleting the file to hinder recovery efforts. Quote: ‘anti-recovery capability… wipes the contents of the original unencrypted files, writes a single character “?” and then deletes the file.’
Indicators of Compromise
- [Bitcoin Wallet] – bc1qtd4qv0wmgtu2rdr0wr8tka2jg44cgmz04z5mc7
- [Email Address] – nguyenvietphat[.]n[at]gmail[.]com
- [GitHub Account] – nguyenvietphat
- [GitHub Repository] – Ransomware
Read more: https://blog.talosintelligence.com/new-threat-actor-using-yashma-ransomware/