Chaos Ransomware at a Glance: Rapidly growing threat

Chaos Ransomware at a Glance: Rapidly growing threat

The Chaos ransomware kit, which has now been renamed Yashma, is constantly being further developed and taken over by cybercriminal groups. […]

The Chaos Ransomware Builder started last year as a flawed and unconvincing imitation of the infamous Ryuk ransomware kit. Since then, it has undergone active development and rapid improvements that have convinced various groups of attackers to adopt it. The latest version, called Yashma, was first observed in the wild in mid-May and includes several improvements.

A successful ransomware operation called Onyx hit emergency services, medical facilities and organizations from various other industries in the US last year. According to security researchers, a variant of the Chaos ransomware is used.

“What makes Chaos/Yashma so dangerous in the future is its flexibility and its wide distribution,” BlackBerry researchers said in a recent report [engl.]. “Since the malware is initially sold and distributed as a malware builder, any potential attacker who acquires the malware can mimic the actions of the threat group behind Onyx by developing their own ransomware strains and targeting selected victims.“

The Humble Beginnings of Chaos Ransomware and Its Aggressive Marketing

The Chaos Ransomware Builder was released in June 2021 under the name Ryuk .NET Ransomware Builder v1.0. A builder is a closed-source program that malware authors make available to their customers to customize the malware and create a malicious binary with these properties that they can use. In this way, different cybercriminal groups that have acquired the same malware program can, for example, use different command-and-control servers or customize their malware for each victim individually.

Despite the name, the Ransomware Builder has nothing to do with the Ryuk ransomware program, which has infected hundreds of companies worldwide since 2018. Ryuk is the creation of a group known in the security industry as Wizard Spider, which is said to be responsible for the development of Ryuk’s successor, Conti, as well as the TrickBot botnet.

According to the BlackBerry researchers, when the Ryuk .NET ransomware Builder was first advertised on underground forums, it was negatively received by the cybercriminals. Many were not pleased with the false advertisement with the name Ryuk, especially since the ransomware created by the builder missed many functions and acted as a pure file wiper.

The malware targeted over 100 file extensions, but was designed to overwrite files with a random Base64 string. Unlike encryption, this process is not reversible, so the files were permanently destroyed.

The author of the ransomware reacted to the negative feedback and, starting with version 2, renamed his builder and ransomware to Chaos. Only with version 3 the malware got the ability to encrypt files with the algorithms AES and RSA, but only files that were smaller than 1 MB. This ability was extended to files under 2 MB in Chaos Builder v4.0, released in August, along with other improvements and features, including the ability to change the victim’s desktop wallpaper to display the ransom note, customizable lists of file extensions, a graphical user interface for the builder’s users, preventing recovery by deleting shadow copies of the Windows file system and backup catalogs, and disabling Windows Recovery mode.

The cybercriminals of the Onyx group appear on the scene

Version 4.0 of the Chaos builder was also significant because in April 2022 it was taken over by a cybercriminal group calling itself Onyx, which also implemented the strategy of double data leak extortion, which is now common among most ransomware gangs.

“Unlike the standard chaos ransom note, which barely gave instructions or hints to the victims concerned, the group behind Onyx implemented a leak site called ‘Onyx News’, hosted through an Onion page on the Tor anonymous network,” the BlackBerry researchers said. “Onyx used this page to give victims more information on how to recover their data. The ransom note for Onyx contained the address, as well as the login and password data that allowed the victim to log in and discuss with the threat actors behind the ransomware attack.

However, ransomware victims and security researchers quickly found out that the Onyx ransomware destroyed files larger than 2 MB due to the encryption limitation in the Chaos ransomware, with which it shares 98% of its code.

The BlackBerry researchers also came across a conversation between the Onyx gang and one of the victims on the negotiating side, in which someone posing as the creator of the Chaos builder tried to promote the latest version of his ransomware and make it clear that it no longer has this 2 MB file limit. The alleged chaos creator also took the opportunity to confirm that Onyx is based on an older version of its program.

During its short lifetime, the Onyx gang has attacked US-based organizations in the fields of finance, economics, medicine and agriculture, as well as emergency services. Even if it is not clear what relationship the Onyx gang has with the Chaos inventor, the success of the gang could arouse the interest of other cybercriminals in the chaos creator, especially since the encryption problems have now been fixed.

A serious problem with the Onyx attacks is that many files are destroyed, which runs counter to the practices of many ransomware attackers. Even though there have been many exceptions over time, most ransomware gangs have kept their promise to decrypt files in the past. The likely reason for this is the good reputation, because they want the victims to trust and pay for their claims.

According to Christopher Boyd, researcher at Malwarebytes, this criminal trust cycle has eroded in recent years as some groups have continued extortion after payment. In addition, today there are many more groups than in the past that carry out this type of activity, and they often appear and disappear again, so the victims do not find a solution. Then there are also faulty ransomware such as Onyx (Chaos), which makes recovery impossible.

“In 2022, any semblance of expectation or trust in the authors of ransomware has vanished into thin air, and will never return,” Boyd said in a blog post [engl.] in April. “Ransomware is now too big and too unwieldy to make any real sense of the expected functionality. What we can expect is that the extortion will continue even after the ransom has been paid. As the article notes, the combination of RaaS means [Ransomware als Service], which is relatively short-lived, and the partners, who usually do their own thing, regardless of the expectations of the main group, that it is almost a carte blanche for everyone.“

From Chaos to Yashma

The encryption problem was fixed in version 5 of Chaos, released in early 2022, which made the ransomware much slower, but it was able to encrypt all file sizes. This version also added a more sophisticated decryptor and the ability to encrypt files beyond the C: drive, which made it even more dangerous, but its creator was not ready yet.

In May, the ransomware builder was renamed again with the release of version 6, which is now called Yashma. With this version, the attackers were able to configure the ransomware to not run depending on the language set on the victim’s device. This technique is often used by malware authors to prevent computers in their own country or region from being infected, which would attract the interest of local law enforcement agencies. In addition, Yashma can now also stop various services on victims’ computers, including antivirus, backup services, storage services, remote desktop services, and credential management services.

So far, there have been few infections with yashma in the wild, but this number may increase slightly, especially since the builder is easily accessible on underground forums. There are even leaked versions for which the cybercriminals do not have to pay.

“Tracking ransomware attacks attributed to chaos is quite difficult, because the indicators of compromise (IOCs) can change with each pattern that a malware manufacturer produces,” the BlackBerry researchers said. “In addition, even inexperienced threat actors can find links to publications and leaks of this threat on dark Web forums or third-party malware repositories, and then use Chaos/Yashma for future malicious activity.

The BlackBerry researchers have in their report [engl.] both known indicators for a compromise and the YARA detection rules are listed.

*Lucian Constantin is a senior author at CSO and reports on information security, privacy and data protection.

Dedicated Software Team | Unity3d APP Development

Ready to see us in action:

More To Explore
Enable registration in settings - general
Have any project in mind?

Contact us: