Chaos ransomware: reviewing the newbie

Chaos ransomware: reviewing the newbie
Chaos ransomware
Written by Brendan Smith

Chaos Ransomware is a newbie in the ransomware world. It was first detected in June, 2021, and was supposed to be an alter-ego of the Ryuk ransomware family. More precise analysis showed that they have much less in common than analysts thought.

Chaos ransomware: the story of evolution

Cybersecurity analysts usually examine the new ransomware group by its activity. However, there are no reported cases of Chaos ransomware attacks. The only thing that says clearly about the creation of this new group is an eponymous ransomware builder, which was published for testing on one of the Darknet forums.

Ransomware builder is, in fact, a special IDE that is designed to create and modify ransomware. It has almost the same functionality as usual IDEs, like IntelliJ IDEA or .NET Framework, but with specific settings that allows the crooks to adjust the final ransomware variant for their needs.

Builder v1.0: how it began

The first edition of Chaos builder appeared on June 9, 2021. This variant contained a Ryuk logo in the upper left corner, which gave birth to the versions that Chaos group is just an alteration of Ryuk. However, a closer look at the outcome of this ransomware builder showed that Chaos does not have a lot of elements in common with Ryuk, and not even ransomware at all.

Chaos builder v1.0

Due to what analysts saw, the first version of Chaos builder is rather a vandal trojan than ransomware. It does not encrypt the files in the system, it just overwrites them with randomly chosen bytes. Hence, paying the ransom will not lead to anything – your data is lost without any chances for decryption or other actions. Only backups could help you, but, again – there are no reported cases of Chaos attacks.

Vandal viruses are a very rare thing, which is almost unused by cybercriminals. They destroy the files kept in the infected system or even destroy the whole file system. In the last case, you have a chance to recover your data. The shelves in the “warehouse” (your disk) are just destroyed, and all items stored in it are now laying on the ground like a pile of rubbish. Nonetheless, if you recover those “shelves” (i.e. file system), you can try to use recovery tools.

Besides having no ransomware functions, the malware which was built by Chaos builder still has the abilities that are pretty typical for most ransomware. It scans the following directories to find the files (in chronological order):

  • \\Contacts
  • \\Desktop
  • \\Documents
  • \\Downloads
  • \\Favorites
  • \\Links
  • \\Music
  • \\OneDrive
  • \\Pictures
  • \\Saved games
  • \\Searches
  • \\Videos

After scanning, this malware attacks the files of more than 100 extensions. Of course, all popular extensions, like .png, .jpg, .jpeg, .txt, .docx and .xlsx are in the scope, too. This feature makes the Chaos from v1.0 builder almost the same effective as ransomware – but without the encryption.

Nonetheless, besides the fact that your files cannot be recovered in any way after the attack, the virus still leaves the ransom note on your desktop. The read_it.txt file looks like this:

read-it.txt file Chaos Ransomware

The specific feature that distinguishes this “ransomware” from others is that it can bypass the barrier between logical disks, and encrypt all your drives. No matter if you have a single physical disk divided into several logical ones or each logical disk corresponds to one physical – this virus will just overwrite the files on all of them. Even removable drives are not safe: thanks to the following code strings, it is able to infect even your USB drive:

Chaos Ransomware

Chaos builder 2.0: still overwriting

In the second version of Chaos builder, published June 17, 2021, the outcoming malware did not get any encryption functions. However, the new functions arrived: now Chaos ransomware has much more abilities in administrator mode, can disable the Volume Shadow Copies and Windows Recovery Mode. There is also a single visual change: the Ryuk logo has disappeared from the builder window.

Chaos builder v2.0

Chaos builder v3: finally, ransomware.

Being a vandal virus definitely creates ill fame around your ransomware. While almost all ransomware groups attempt to create a good image of themselves (pay the ransom = receive your files with a guarantee), Chaos has shown its sneaky nature even before the attacks. Hence, turning into “classic” ransomware was just a question of time. Money is always more important than revenge or reasonless vandalism.

Chaos builder v3.0

The result of the builder v3.0 activity (published June 5, 2021) is encrypting files smaller than 1MB using the AES+RSA mixed encryption. Besides that, the v3 builder also allows you to create the decryption tool for the ransomware. There is also the possibility to enable the overwrite mode – back to a more early version of Chaos ransomware.

Chaos builder

Builder v4.0

On August 5, 2021, the fourth version of Chaos builder appeared on public. This version did not bring something brand new to the outcoming ransomware but buffed the add-on functions. Now, the ransomware is able to change the wallpapers – that is often needed to display the ransom note constantly and keep the victim in fear. Other things that have been changed are the ability to add its own extension and the size of files that could be encrypted: the limit was increased to 2MB. That allows this virus to attack some small Photoshop projects, small or low-quality audio files, any .png and almost all .jpg files.

Chaos builder v4.0

After all these alterations, which can surely be described as evolution, Chaos malware can surely be called ransomware. However, it has its features, which are not so unique – but never used in such a combination. Some facts were not spoken clearly, but it is obvious that such new ransomware will use the RaaS scheme, aim at corporations and apply the double extortion.

Here are the SHA256 hashes of the viruses from each builder versions:

Chaos v10d8b4a07e91e02335f600332644e8f0e504f75ab19899a58b2c85ecb0887c738
Chaos v2325dfac6172cd279715ca8deb280eefe3544090f1583a2ddb5d43fc7fe3029ed
Chaos v363e28fc93b5843002279fc2ad6fabd9a2bc7f5d2f0b59910bcc447a21673e6c7
Chaos v4f2665f89ba53abd3deb81988c0d5194992214053e77fc89b98b64a31a7504d77
Sending
User Review
0 (0 votes)
Comments Rating 0 (0 reviews)
Chaos ransomware: reviewing the newbie
Article
Chaos ransomware: reviewing the newbie
Description
Chaos ransomware appeared first in June 2021. There are no reported cases of this ransomware attacks, but its builder is published and updated pretty often. Last allows us to understand what to expect from this malware.
Author
Copyright
HowToFix.Guide
 

About the author

Brendan Smith

Journalist, researcher, web content developer, grant proposal editor. Efficient and proficient on multiple platforms and in diverse media. Computer technology and security are my specialties.

Leave a Reply

Sending

This site uses Akismet to reduce spam. Learn how your comment data is processed.