An unknown threat actor is using a variant of the Yashma ransomware to target various entities in English-speaking countries, Bulgaria, China, and Vietnam at least since June 4, 2023.
Cisco Talos, in a new write-up, attributed the operation with moderate confidence to an adversary of likely Vietnamese origin.
“The threat actor uses an uncommon technique to deliver the ransom note,” security researcher Chetan Raghuprasad said. “Instead of embedding the ransom note strings in the binary, they download the ransom note from the actor-controlled GitHub repository by executing an embedded batch file.”
Yashma, first described by the BlackBerry research and intelligence team in May 2022, is a rebranded version of another ransomware strain called Chaos. A month prior to its emergence, the Chaos ransomware builder was leaked in the wild.
A notable aspect of the ransom note is its resemblance to the well-known WannaCry ransomware, possibly done so in an attempt to obscure the threat actor’s identity and confuse attribution efforts. While the note mentions a wallet address to which the payment is to be made, it doesn’t specify the amount.
The disclosure comes as the cybersecurity company said that leaks of ransomware source code and builders are leading to the acceleration of new ransomware variants, thereby resulting in more attacks.
“Ransomware builders usually have a user interface that allows users to choose the underlying features and customize the configurations to build a new ransomware binary executable without exposing the source code or needing a compiler installed,” the company pointed out.
“The availability of such builders allows novice actors to generate their own customized ransomware variants.”
The development also follows a major spike in ransomware attacks, with Malwarebytes recording as many as 1,900 incidents over the past year within the U.S., Germany, France, and the U.K., mainly fueled by the “ascension of the Cl0p group – which has effectively harnessed zero-day vulnerabilities to amplify its attacks.”
In a related report, Akamai found that an increase in the use of zero-day and one-day security flaws has resulted in a 143% increase in the number of ransomware victims in the first quarter of 2023 compared with the same period last year.
“The Cl0p ransomware group is aggressively developing zero-day vulnerabilities, growing its victims by 9x year over year,” the company said. “Victims of multiple ransomware attacks were more than 6x more likely to experience the second attack within three months of the first attack.”
But in what’s a further sign of the evolution of the threat landscape, Trend Micro disclosed details of a TargetCompany (aka Mallox or Xollam) ransomware attack that utilized an iteration of a fully undetectable (FUD) obfuscator engine called BatCloak to infect vulnerable systems with remote access trojans like Remcos RAT and maintain a stealthy presence on targeted networks.
“Afterward, the Remcos RAT will resume its final routine as it downloads and deploys the TargetCompany ransomware still wrapped in an FUD packer,” the company said.
“The use of FUD malware already limits most available solutions for this said tactic, even more so for off-the-shelf technologies likely susceptible to other attacks (not just ransomware). This set of packers will likely not be the only ones being developed in the near future.”