Ransomware Report

You can check the latest ransomware information.

title
Yashma ransomware
Registration date
2023-06-05
views
6935

[Yashma ransomware]

[Virus/malware activity reported: Yashma ransomware]

In response to a breach believed to be in the form of Yashma ransomware,
we would like to confirm the situation and provide a warning as follows.

Yashma ransomware

The ransomware in question is called Yashma and appears to be changing all files with existing names, existing extensions, and individual random values.

How it works

file version


[Figure 1 File version]


[Figure 2 File properties]

behavioral process

  • Re-execute and register startup program after changing execution location

    Copy it from the initial execution location to the Roaming folder, change the name (svchost.exe), and then run it again, creating a link file for the executable file in the startup program.


    [Figure 3 Executable file copied to Roaming folder and contents of svchost.exe stored in internal variables]


    [Figure 4 Link and internal processing code created in the startup program folder location]

  • Disabling Windows recovery, backup and security features

    To make it difficult to recover data once the ransomware infection is complete, use the cmd command to delete shadow copies and disable Windows recovery-related functions. For the server version, also delete the security catalog. Additionally, issue a stop command to backup-related services and disable Task Manager.


    [Figure 5 cmd commands stored internally]


    [Figure 6 List of targets to stop services]


    [Figure 7 Task Manager deactivation value and error window that appears when running Task Manager]

  • Attack target selection and exception handling

    All drives are targeted, but certain folders within SystemDirectory (C drive) are excluded.


    [Figure 8 Exception handled objects]


    [Figure 9 Targeted extensions]

Infection results

The information file read_it.txt is created in each path, and when encryption is performed, the files are changed to <existing name. existing extension. individual random value> and the desktop is changed when completed.


[Figure 10 Infection results]

White Defender compatible

It supports real-time automatic restoration of files that will be encrypted before the malicious actions and blocking of White Defender ransomware.


[Figure 11 Block message]

Watch Yashma blocking video

Previous post
Seoul ransomware
next post
Rec_rans ransomware
List
WhiteDefender Term of Use|Privacy Policy
Everyzone White Defender Co., Ltd. | CEO: Seunggyun Hong|Business registration number: 220-81-67981
Copyright ⓒEveryzone , Inc. All Rights Reserved.|