therecord.media
Open in
urlscan Pro
2606:4700:4400::6812:20b5
Public Scan
URL:
https://therecord.media/vietnamese-hacker-targets-chinese-bulgarian-organizations-with-new-ransomware
Submission: On August 24 via api from TR — Scanned from DE
Submission: On August 24 via api from TR — Scanned from DE
Form analysis 1 forms found in the DOM
<form><span class="text-black text-sm icon-search"></span><input type="text" name="s" placeholder="Search…" value=""><button type="submit">Go</button></form>Text Content
This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy. Accept * Leadership * Cybercrime * Nation-state * People * Technology * Mobile App * About * Podcast * Contact Go SUBSCRIBE TO THE RECORD Subscribe Jonathan GreigAugust 7th, 2023 * Cybercrime * News * * * * * Get more insights with the Recorded Future Intelligence Cloud. Learn more. SUSPECTED VIETNAMESE HACKER TARGETS CHINESE, BULGARIAN ORGANIZATIONS WITH NEW RANSOMWARE Researchers believe a new strain of ransomware is being used to target organizations in China, Vietnam, Bulgaria and several other English-speaking countries. Experts from Cisco Talos said on Monday that they have discovered a previously unknown threat actor – allegedly from Vietnam – conducting attacks that started as early as June 4. The malware is a variant of the Yashma ransomware – a strain that has been largely defunct since a decryptor was released last year. “Talos assesses with high confidence that this threat actor is targeting victims in English-speaking countries, Bulgaria, China and Vietnam, as the actor’s GitHub account, ‘nguyenvietphat,’ has ransomware notes written in these countries’ languages. The presence of an English version could indicate the actor intends to target a wide range of geographic areas,” the researchers said in a report. “The threat actor may be of Vietnamese origin because their GitHub account name and email contact on the ransomware notes spoofs a legitimate Vietnamese organization’s name. The ransom note also asks victims to contact them between 7 and 11 p.m. UTC+7, which overlaps with Vietnam’s time zone.” The attacker’s ransom note mimics that of WannaCry, which caused global outcry in 2017 after several headline-grabbing attacks. Versions of the ransom note come in English, Bulgarian, Vietnamese and Chinese. The ransom amount doubles if victims do not pay within three days and the gang provides a Gmail address to communicate. No ransom amount was listed and there is no Bitcoin in the account shared in the note, indicating that the operation “might still be in a nascent stage.” After victim systems are encrypted, the victim’s wallpaper is changed to a note claiming all files have been encrypted. Cisco Talos noted that Yashma ransomware is itself a rebranded version of the Chaos ransomware that first appeared in May 2022. Based on an in-depth investigation of Yashma’s features by security researchers at BlackBerry last year, Cisco Talos said the new variant has largely kept most of the original ransomware intact. One change did stand out to Cisco Talos. Instead of storing the ransom note in the ransomware, this new variant downloads the ransom note from a threat actor-controlled GitHub repository. “This modification evades endpoint detection solutions and anti-virus software, which usually detect embedded ransom note strings in the binary,” the researchers said. “One notable feature the threat actor chose to keep in this variant is Yashma’s anti-recovery capability. After encrypting a file, the ransomware wipes the contents of the original unencrypted files, writes a single character ‘?’ and then deletes the file. This technique makes it more challenging for incident responders and forensic analysts to recover the deleted files from the victim’s hard drive.” Several organizations tracking ransomware attacks have noted that there has been a massive increase in the number of strains emerging. FortiGuard Labs said on Monday that it has “documented substantial spikes in ransomware variant growth in recent years, largely fueled by the adoption of Ransomware-as-a-Service (RaaS).” Recorded Future ransomware expert Allan Liska recently noted that most of the “new” ransomware strains are simply variants of previously-released versions. Data compiled by his team showed that fewer than 25% of 328 "new" ransomware variants are actually new. * * * * * Tags * China * Vietnam * Bulgaria * Ransomware * Cisco * Cisco Talos JONATHAN GREIG Jonathan Greig is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic. Previous articleNext article Ukrainian state agencies targeted with open-source malware MerlinAgent Zoom amends terms of service after pushback on using calls to train AI models BRIEFS * Proposed bill would require vulnerability disclosure policies for all federal contractorsAugust 24th, 2023 * MacOS version of info-stealing XLoader gets an upgradeAugust 22nd, 2023 * Cyberattack on Belgian social service centers forces them to closeAugust 22nd, 2023 * Ukrainian hackers claim to leak emails of Russian parliament deputy chiefAugust 22nd, 2023 * Ecuador’s national election agency says cyberattacks caused absentee voting issuesAugust 21st, 2023 * Somalia bans TikTok, Telegram over ‘horrific' contentAugust 21st, 2023 * Tesla blames data breach affecting 75,000 on ‘insider wrongdoing’August 21st, 2023 * Australia’s .au domain administrator denies data breach after ransomware postingAugust 20th, 2023 * Illinois hospital notifies patients, employees of data breach after Royal gang postingAugust 18th, 2023 H1 2023: RANSOMWARE'S PIVOT TO LINUX AND VULNERABLE DRIVERS H1 2023: Ransomware's Pivot to Linux and Vulnerable Drivers THREAT ACTORS LEVERAGE INTERNET SERVICES TO ENHANCE DATA THEFT AND WEAKEN SECURITY DEFENSES Threat Actors Leverage Internet Services to Enhance Data Theft and Weaken Security Defenses REDHOTEL: A PROLIFIC, CHINESE STATE-SPONSORED GROUP OPERATING AT A GLOBAL SCALE RedHotel: A Prolific, Chinese State-Sponsored Group Operating at a Global Scale BLUECHARLIE, PREVIOUSLY TRACKED AS TAG-53, CONTINUES TO DEPLOY NEW INFRASTRUCTURE IN 2023 BlueCharlie, Previously Tracked as TAG-53, Continues to Deploy New Infrastructure in 2023 BLUEBRAVO ADAPTS TO TARGET DIPLOMATIC ENTITIES WITH GRAPHICALPROTON MALWARE BlueBravo Adapts to Target Diplomatic Entities with GraphicalProton Malware * * * * * Privacy Policy © Copyright 2023 | The Record from Recorded Future News