New Chaos Malware Variant Ditches Wiper for Encryption

The Chaos ransomware-builder was known for creating destructor malware that overwrote files and made them unrecoverable -- but the new Yashma version finally generates binaries that can encrypt files of all sizes.

image of a faceless cyberattacker wearing a denim jacket and hoodie with the words ransomware in the background
Source: Igor Stevanovic via Alamy Stock Photo

The Chaos malware-builder, which climbed up as a wiper from the underground murk nearly a year ago, has shape-shifted with a rebranded binary dubbed Yashma that incorporates fully fledged ransomware capabilities.

That's according to researchers at BlackBerry, who say that Chaos is on track to become a significant threat to businesses of every size.

Chaos began life last June purporting to be a builder for a .NET version of the Ryuk ransomware – a ruse its operators leaned into hard, even using Ryuk branding on its user interface. However, a Trend Micro analysis at the time showed that binaries created with this initial version shared very little heritage with the well-known ransomware baddie. Instead, the sample was “more akin to a destructive trojan than to traditional ransomware,” the firm noted – mainly overwriting files and rendering them unrecoverable.

BlackBerry researchers noted the same. Rather than using Ryuk’s AES/RSA-256 encryption process, the "initial edition of Chaos overwrites the targeted file with a randomized Base64 string," according to BlackBerry's new report. "Because the original contents of the files are lost during this process, recovery is not possible, thus making Chaos a wiper rather than true ransomware."

After putting the builder out in underground forums and catching plenty of snark and flak by fellow Dark Web denizens for hijacking the Ryuk brand, the group consequently named itself Chaos. The malware also cycled rapidly through several different versions, each with incremental changes that gave it more and more true ransomware capabilities. However, the wiper functionality persisted through version four.

"Based on the forums, the original ransomware is believed to be developed by a solo author," Ismael Valenzuela, vice president of threat research & intelligence at BlackBerry’s Cybersecurity Business Unit, tells Dark Reading. "This author appears new to the ransomware scene, as they were requesting feedback, bug reports, and feature requests, and the early releases were missing basic features, such as multi-threading, which are common in other ransomware."

Inside the Chaos

Chaos targets more than 100 default file extensions for encryption and also has a list of files it avoids targeting, including .DLL, .EXE, .LNK, and .INI – presumably to prevent crashing a victim’s device by locking up system files.

In each folder affected by the malware, it drops the ransom note as “read_it.txt.”

"This option is highly customizable within all iterations of the builder, giving malware operators the ability to include any text they want as the ransom note," according to BlackBerry's analysis. "In all versions of Chaos Ransomware Builder, the default note stays relatively unchanged, and it includes references to the Bitcoin wallet of the apparent creator of this threat."

Over time, the malware has added more sophisticated capabilities, such as the ability to:

  • Delete shadow copies

  • Delete backup catalogs

  • Disable Windows recovery mode

  • Change the victim’s desktop wallpaper

  • Customizable file-extension lists

  • Better encryption compatibility

  • Run on startup

  • Drop the malware as a different process

  • Sleep prior to execution

  • Disrupt recovery systems

  • Propagate the malware over network connections

  • Choose a custom encryption file-extension

  • Disable the Windows Task Manager

Actual encryption capabilities (using AES-256) have been included only since the third version of the malware; even then, the builder could only encrypt files smaller than 1MB. It was still acting as a destructor for large files (such as photos or videos).

"The code is written in such a way that the wiper function is certainly not accidental. It's unclear why the authors made this choice," Valenzuela says. "It's possible the malware authors made the decision for performance reasons. If the malware was working slowly through a directory of multi-GB videos or database files, there's a small chance the user might notice and be able to power off the device."

Chaos, Version Four: 'Onyx' Ransomware, Still With Wiper

Though version four of the Chaos builder was released late last year, it got a boost when a threat group named Onyx created its own ransomware with it last month. This version quickly became the most common Chaos edition directly observed in the wild today, according to the firm. Notably, while the ransomware was improved to be able to encrypt slightly larger files – up to 2.1MB in size – larger files are still overwritten and destroyed.

The latest attacks have been directed toward US-based services and industries, including emergency services, medical, finance, construction, and agriculture, according to BlackBerry.

"This particular threat group [infiltrates] a victim organization's network, [steals] any valuable data it found, then would unleash 'Onyx ransomware,' their own branded creation based on Chaos Builder v4.0," researchers said – something researchers were able to verify with sample tests that showed a 98% code match to a test sample generated via Chaos v4.0. The only changes were a customized ransom note and a refined list of file extensions.

Onyx has also implemented a leak site called “Onyx News” hosted on the Tor network, with information about its victims and publicly viewable stolen data. The site is also used to give victims more information on how to recover their data.

"The best advice we could offer companies [targeted with the Onyx wiper] is to maintain regular backups, which are stored separately, and to not pay the ransom as most of their files are not recoverable due to design," says Valenzuela. "Again, proper incident command is paramount, something that is always better planned in advance."

Chaos Wiper Reined in With Yashma

In early 2022, Chaos released a fifth version of its builder, which finally generated ransomware binaries capable of encrypting large files without irretrievably corrupting them.

"Though slower to complete its malicious tasks on the victim device than when it was simply destroying files, the malware finally operates as expected, with files of all sizes being properly encrypted by the malware and retaining the potential to be restored to their former unencrypted state," researchers noted.

A nearly identical sixth iteration soon followed in mid-2022 – renamed Yashma.

"Malware-as-a-service [MaaS] is a popular model these days; however, a unique selling point for Chaos is that up until the rebrand to Yashma, all releases have been free," Valenzuela notes. "That said, the Yashma versions are still only $17, making the ransomware widely accessible."

Yashma incorporates two advances over the fifth version: the ability to prevent the ransomware from running depending on the language set on the victim device, and the ability to stop various services.

Regarding the latter, Yashma terminates the following:

  • Antivirus (AV) solutions

  • Vault services

  • Backup services

  • Storage services

  • Remote Desktop services

Both of these versions have seen little action in the wild to date – meaning that Chaos ransomware attacks will most often incorporate a destructive wiper dimension. But it's likely that binaries based on all of the iterations of the builder will become more common over time.

"What makes Chaos/Yashma dangerous going forward is its flexibility and its widespread availability," researchers noted in the report. "As the malware is initially sold and distributed as a malware builder, any threat actor who purchases the malware can replicate the actions of the threat group behind Onyx, developing their own ransomware strains and targeting chosen victims."

Every Business Is a Target

Valenzuela points out that with Chaos, the level of technical expertise required to use it is relatively low, the builder is free, and the steps required to generate a binary of one's own are straightforward.

"No organization or industry is exempt from this risk," he said. "Every business needs to have a good defensive strategy – including a tested defensible architecture with a combination of technologies that provide prevention, visibility, and detection coverage, as well as continuous monitoring augmented with up-to-date threat intelligence – to respond early in the attack chain."

Valenzuela adds, "We have seen how many businesses have been compromised for days or weeks before the detonation of the ransomware payloads, so being able to respond to threats quickly is paramount to lessen the impact of these attacks."

About the Author(s)

Tara Seals, Managing Editor, News, Dark Reading

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights