Report: New ransomware gang emerges in Vietnam

Researchers discovered a new ransomware gang that appears to be in the early stages of their extortion campaigns.
A laptop displays a message after being infected by a ransomware as part of a worldwide cyberattack on June 27, 2017. (Rob Engelaar / ANP / AFP)

Cybersecurity researchers at Cisco Talos have discovered a new ransomware gang operating out of Vietnam, the latest addition to an increasingly crowded cybercriminal landscape in Southeast Asia.

Targeting victims in English-speaking countries, as well as Bulgaria, China, and Vietnam, the gang uses a Yashma ransomware variant that downloads a ransomware note from an account dubbed “nguyenvietphat” on the code sharing platform Github, evading some endpoint detection and antivirus software, Cisco’s report finds.

The unnamed group has been active since at least June 4 and is one of a growing number of cybercriminal gangs and other hacking groups operating out of Vietnam or targeting the country.

The revelation of the new group comes against the background of an overall increase in ransomware activity. In a report published Monday, researchers with Akamai found that an increase in the use of zero-day and one-day vulnerabilities has resulted in a 143% increase in the number of ransomware victims in the first quarter of 2023 compared with the same period last year.


Cisco Talos researchers said that they have “moderate confidence” that the ransomware actor is of Vietnamese origin. The Github account name and email contact in the ransomware note mimics a legitimate Vietnamese organization, and the the time zones in which the operators ask to be contacted overlap with Vietnam’s.

The ransomware note is structured similarly to the note associated with the infamous WannaCry ransomware and features the same headings.

The note demands payment in Bitcoin and threatens to double the ransom if the victim does not pay within three days. The ransom note also says that if there is no payment within seven days then the victim will not be able to recover any files.

Wallpaper from the Yashma variant (left) and from WannaCry (right). (Cisco Talos)

Latest Podcasts