Your IP: Unknown · Your Status: ProtectedUnprotectedUnknown

Skip to main content



Also known as: Chaos, Onyx, FakeRyuk, RyukJoke

Category: Malware

Type: Ransomware

Platform: Windows

Variants: Chaos V4, Chaos V5

Damage potential: Malware infection, file encryption, file corruption and loss, system performance issues, network connectivity problems, and financial loss.


Yashma is a sophisticated new ransomware targeting organizations in China, Bulgaria, Vietnam, and several English-speaking countries. Instead of storing a ransom note on the victim’s computer, Yashma uses an embedded batch file to download the note from a GitHub repository. This modification allows the attackers to avoid antivirus detection. After infecting a device, Yashma encrypts files with AES-256 and changes the wallpaper to a message about the attack. The attackers demand payment in three days — or the ransom demand doubles.

Possible symptoms

The main symptom of a Yashma infection is file encryption. You may notice that you can’t open the files you usually use on your device. Other symptoms include:

  • Your desktop wallpaper changes (i.e., to a message about file encryption).

  • A ransom note appears demanding payment in three days.

  • Changes to file names (e.g., a “?” character added at the end).

  • Unusually slow computer performance.

  • Increased CPU and disk activity.

  • Antivirus alerts about an infection.

  • Disabled Windows task manager.

  • Internet connection issues.

  • Disabled antivirus solutions.

Sources of infection

Yashma ransomware may spread in many ways, with attackers often using social engineering tactics. Let’s look at how Yashma infects organization networks.

  • Phishing emails. Yashma may be distributed through phishing or spear phishing attacks that target company employees.

  • Malicious attachments. Employees may receive spam emails with malicious attachments that install Yashma once opened.

  • Infected external drives. Yashma ransomware may also spread via infected USBs, external hard drives, or other removable media.

  • Security vulnerabilities. Attackers may target unpatched security vulnerabilities in the system or network to spread Yashma.


Ransomware attacks can have serious consequences for organizations, from disrupted services to significant financial loss. Here’s how to protect networks and devices from Yashma:

  • Keep software up to date. Yashma attackers may target unpatched system and network vulnerabilities, so don’t delay security patches and updates.

  • Regularly back up your data. Having your data and files backed up means you won’t lose them even if Yashma infects the network.

  • Beware of phishing emails. Attackers use phishing and spam emails to get onto the company network. Make sure you don’t open any suspicious emails or attachments.

  • Provide cybersecurity training. Company-wide employee training is crucial in preventing ransomware attacks in businesses.

  • Use NordVPN. In addition to securing your data traffic, NordVPN offers Threat Protection — an advanced feature that blocks malicious sites, web trackers, and annoying ads. Plus, it checks files for malware during download.


Because Yashma is a stealthy and sophisticated ransomware, removing it from a company network can be challenging. It’s best to consult a specialist and use a reputable antivirus (though not all solutions may detect Yashma). If you don’t have your data backed up, you may also need to use a trusted ransomware decryption tool to access it without paying the ransom.

Ultimate digital security