Cybersecurity researchers at Cisco Talos have discovered a new ransomware gang operating out of Vietnam, the latest addition to an increasingly crowded cybercriminal landscape in Southeast Asia.
Targeting victims in English-speaking countries, as well as Bulgaria, China, and Vietnam, the gang uses a Yashma ransomware variant that downloads a ransomware note from an account dubbed “nguyenvietphat” on the code sharing platform Github, evading some endpoint detection and antivirus software, Cisco’s report finds.
The revelation of the new group comes against the background of an overall increase in ransomware activity. In a report published Monday, researchers with Akamai found that an increase in the use of zero-day and one-day vulnerabilities has resulted in a 143% increase in the number of ransomware victims in the first quarter of 2023 compared with the same period last year.
Cisco Talos researchers said that they have “moderate confidence” that the ransomware actor is of Vietnamese origin. The Github account name and email contact in the ransomware note mimics a legitimate Vietnamese organization, and the the time zones in which the operators ask to be contacted overlap with Vietnam’s.
The ransomware note is structured similarly to the note associated with the infamous WannaCry ransomware and features the same headings.
The note demands payment in Bitcoin and threatens to double the ransom if the victim does not pay within three days. The ransom note also says that if there is no payment within seven days then the victim will not be able to recover any files.