Campaigns
Unknown Threat Actor Uses Chaos Ransomware Variant Yashma To Target English Speaking Countries In Addition To Bulgaria, China and Vietnam

Unknown Threat Actor Uses Chaos Ransomware Variant Yashma To Target English Speaking Countries In Addition To Bulgaria, China and Vietnam

YashmaChaoswin.chaosRansomware
Yashma, first described by the BlackBerry research and intelligence team in May 2022, is a rebranded version of another ransomware strain called Chaos. A month prior to its emergence, the Chaos ransomware builder was leaked in the wild.

Indicators of Compromise

www.transportesevaristomadero.com
pkho.timeline.transversallearning.com
rub.defauld.top
amrc.tuktuk.ug
moknex158.xyz
o0o.enigne.top
ffsimv.gr
www.redconsultora.com
rcam.tuktuk.ug
yabynennet.xyz
purchase.lottoprize.us
mail.redseatransportuae.com
logxtai.shop
mail.kbakr.com
moneymaker.dynuddns.net
billdeckhart.com
urelishavea.online
www.monroefmc.com
mail.lssoman.com
www.heckelmann.info
xcelcareers.com
mail.flumetec.com
onedirve.info
marketisportsstumi.win
artmediastudio.ro
www.cinthyarochafotografia.com.br
n57b30a.info
polteklpp.ac.id
mail.jackandjillcoachinginn.uk
mail.ungaplc.com
mail.awelleh3.top
ftp.itvlahita.com
nstar-gw.office-northstar.jp
ndrjb.timeline.transversallearning.com
ftp.papeleriaveneplast.com
smz-llc.net
laguna.alicia-gutierrez.com
qdx.timeline.transversallearning.com
sandiisells.com
smtp.unrc.ir
www.medichiccenter.com
red.loonyt.top
revolutionmakerspace.com
bejenaru-studio.ro
earthqik.co.za
irenosolutions.com
ftp.svetigeorgije.co.rs
fetchdesignprint.co.za
www.thesciencebasement.org
iii.tavrmon.top
game-cheat.net
mail.vitalsoap.com.pk
www.monarkpapes.com
mdelaluz.net
winetourism.co.za
brightsidemedium.com
vikaneleneer.shop
earthqik.website
vapdelivery.com.br
mail.echigoseika.co.jp
mail.adityagroup.co
dodiam.live
sszteell.com
gecitartandmore.com
lightyearsaheads.com
bts.korpop.top
bripst.com
confidententeprises.com
hncelectric.cf
smtp.godforeu.com
downloads.digitalpulsedata.com
dienmay01.maudemo.com
fuji-iasi.ro
silversoft.in
manupd.ru
mail.kennettextile.co.th
mail.expertsconsultgh.co
pilkishop.ru
mail.icmpp.ro
hiqsolution.com
rcn.tuktuk.ug
www.vapdelivery.com.br
gateway3.sipcanada.com
sterlingfundinginc.com
kivspace.xyz
ars1.wemix.cc
6vftqk5hzuoaxd4m6gspin3ro6f2oujh.h6762ca.1.0.6tpdtd56tfu7tsm2xx43yj6pb4.94yb3vv.dns0.org
bb.hash3688.com
click.open
linuxddos.net
github.co
2fgithub.com
ai.nqb001.com
tomca1.com
a.nqb001.com
botnet.ddoswow.site
tf.xiaozhuddos.co
bitantcoins.pro
click.contact
repository.click
are.nishabig.pro
js.wanpay1.cn
click.talk
continue.email
click.discover
click.compare
x.xlg360.xyz
abc.cfed.cc
skyeda.vip
submit.org
click.zero
quanquandd.top

Campaign Guidance

Remediation, mitigation, notes, history and related intelligence

Remediations
Make sure you quarantine the malware from your system first.

We strongly suggest that all user accounts with remote login permissions change their passwords and look for other local accounts that ransomware operators may have added Yashma ransomware must be removed from the operating system to prevent further encryption. Unfortunately, uninstalling will not restore already infected files. The only solution is to recover them from a backup (if any).

We also recommend that you keep backups in multiple different locations (e.g. remote servers, unplugged storage devices, etc.) to ensure data security.

Reports & References2

Observed Countries250

AD (942)
AE (477)
AF (282)
AG (677)
AI (126)
AL (62)
AM (961)
AO (586)
AQ (883)
AR (734)
AS (40)
AT (23)
AU (949)
AW (818)
AX (177)
AZ (362)
BA (416)
BB (882)
BD (547)
BE (133)
BF (864)
BG (344)
BH (746)
BI (994)
BJ (537)
BL (714)
BM (245)
BN (227)
BO (118)
BQ (284)
BR (890)
BS (421)
BT (791)
BV (330)
BW (539)
BY (778)
BZ (914)
CA (247)
CC (397)
CD (47)
CF (800)
CG (172)
CH (940)
CI (78)
CK (424)
CL (169)
CM (104)
CN (922)
CO (863)
CR (950)
CU (855)
CV (284)
CW (946)
CX (266)
CY (697)
CZ (981)
DE (426)
DJ (847)
DK (322)
DM (477)
DO (867)
DZ (930)
EC (396)
EE (592)
EG (273)
EH (403)
ER (127)
ES (400)
ET (948)
FI (80)
FJ (634)
FK (907)
FM (469)
FO (774)
FR (588)
GA (333)
GB (544)
GD (26)
GE (647)
GF (187)
GG (633)
GH (968)
GI (753)
GL (154)
GM (805)
GN (327)
GP (468)
GQ (414)
GR (250)
GS (657)
GT (876)
GU (755)
GW (288)
GY (37)
HK (329)
HM (639)
HN (131)
HR (154)
HT (940)
HU (259)
ID (423)
IE (478)
IL (731)
IM (796)
IN (952)
IO (547)
IQ (525)
IR (977)
IS (699)
IT (168)
JE (53)
JM (209)
JO (502)
JP (540)
KE (6)
KG (350)
KH (384)
KI (753)
KM (974)
KN (425)
KP (855)
KR (670)
KW (92)
KY (907)
KZ (41)
LA (661)
LB (835)
LC (989)
LI (206)
LK (313)
LR (671)
LS (711)
LT (147)
LU (88)
LV (37)
LY (531)
MA (216)
MC (899)
MD (531)
ME (10)
MF (102)
MG (845)
MH (558)
MK (314)
ML (739)
MM (228)
MN (794)
MO (853)
MP (280)
MQ (86)
MR (318)
MS (459)
MT (195)
MU (496)
MV (288)
MW (555)
MX (497)
MY (161)
MZ (803)
NA (764)
NC (681)
NE (504)
NF (557)
NG (123)
NI (232)
NL (746)
NO (269)
NP (804)
NR (15)
NU (625)
NZ (586)
OM (251)
PA (923)
PE (480)
PF (163)
PG (946)
PH (44)
PK (323)
PL (186)
PM (316)
PN (352)
PR (978)
PS (699)
PT (270)
PW (44)
PY (940)
QA (781)
RE (147)
RO (468)
RS (263)
RU (749)
RW (468)
SA (426)
SB (801)
SC (95)
SD (79)
SE (408)
SG (111)
SH (344)
SI (728)
SJ (169)
SK (983)
SL (902)
SM (333)
SN (892)
SO (474)
SR (264)
SS (123)
ST (499)
SV (487)
SX (975)
SY (587)
SZ (680)
TC (404)
TD (59)
TF (744)
TG (250)
TH (759)
TJ (998)
TK (60)
TL (503)
TM (708)
TN (656)
TO (126)
TR (281)
TT (877)
TV (909)
TW (171)
TZ (532)
UA (36)
UG (551)
UM (727)
US (273)
UY (436)
UZ (104)
VA (718)
VC (253)
VE (896)
VG (351)
VI (801)
VN (512)
VU (339)
WF (405)
WS (161)
XK (106)
YE (538)
YT (697)
ZA (317)
ZM (396)
ZW (681)