New Chaos Malware Variant Ditches Wiper for Encryption

The Chaos Malware-builder was known for creating destructor malware that overwrote files and made them unrecoverable — but the new Yashma version finally generates binaries that can encrypt files of all sizes.

The Chaos malware-builder, which climbed up as a wiper from the underground murk nearly a year ago, has shape-shifted with a rebranded binary dubbed Yashma that incorporates fully-fledged ransomware capabilities.

That’s according to researchers at BlackBerry, who say that Chaos malware is on track to become a significant threat to businesses of every size.

Chaos began life last June purporting to be a builder for a .NET version of the Ryuk ransomware – a ruse its operators leaned into hard, even using Ryuk branding on its user interface. However, a Trend Microanalysis at the time showed that binaries created with this initial version shared very little heritage with the well-known ransomware baddie. Instead, the sample was “more akin to a destructive trojan than to traditional ransomware,” the firm noted – mainly overwriting files and rendering them unrecoverable.

BlackBerry researchers noted the same. Rather than using Ryuk’s AES/RSA-256 encryption process, the “initial edition of Chaos overwrites the targeted file with a randomized Base64 string,” according to BlackBerry’s new report. “Because the original contents of the files are lost during this process, recovery is not possible, thus making Chaos a wiper rather than true ransomware.”

After putting the builder out in underground forums and catching plenty of snark and flak by fellow Dark Web denizens for hijacking the Ryuk brand, the group consequently named itself Chaos. The malware also cycled rapidly through several different versions, each with incremental changes that gave it more and more true ransomware capabilities. However, the wiper functionality persisted through version four.

“Based on the forums, the original ransomware is believed to be developed by a solo author,” Ismael Valenzuela, vice president of threat research & intelligence at BlackBerry’s Cybersecurity Business Unit, tells Dark Reading. “This author appears new to the ransomware scene, as they were requesting feedback, bug reports, and feature requests, and the early releases were missing basic features, such as multi-threading, which are common in other ransomware.”

Inside the Chaos

Chaos targets more than 100 default file extensions for encryption and also has a list of files it avoids targeting, including. DLL, .EXE, .LNK, and. INI – presumably to prevent crashing a victim’s device by locking up system files.

In each folder affected by the malware, it drops the ransom note as “read_it.txt.”

“This option is highly customizable within all iterations of the builder, giving malware operators the ability to include any text they want as the ransom note,” according to BlackBerry’s analysis. “In all versions of Chaos Ransomware Builder, the default note stays relatively unchanged, and it includes references to the Bitcoin wallet of the apparent creator of this threat.”

Over time, the malware has added more sophisticated capabilities, such as the ability to:

  • Delete shadow copies
  • Delete backup catalogs
  • Disable Windows recovery mode
  • Change the victim’s desktop wallpaper
  • Customizable file-extension lists
  • Better encryption compatibility
  • Run-on startup
  • Drop the malware as a different process
  • Sleep prior to execution
  • Disrupt recovery systems
  • Propagate the malware over network connections
  • Choose a custom encryption file-extension
  • Disable the Windows Task Manager

Actual encryption capabilities (using AES-256) have been included only since the third version of the malware; even then, the builder could only encrypt files smaller than 1MB. It was still acting as a destructor for large files (such as photos or videos).

“The code is written in such a way that the wiper function is certainly not accidental. It’s unclear why the authors made this choice,” Valenzuela says. “It’s possible the malware authors made the decision for performance reasons. If the malware was working slowly through a directory of multi-GB videos or database files, there’s a small chance the user might notice and be able to power off the device.”

Chaos, Version Four: ‘Onyx’ Ransomware, Still With Wiper

Though version four of the Chaos builder was released late last year, it got a boost when a threat group named Onyx created its own ransomware with it last month. This version quickly became the most common Chaos malware edition directly observed in the wild today, according to the firm. Notably, while the ransomware was improved to be able to encrypt slightly larger files – up to 2.1MB in size – larger files are still overwritten and destroyed.

The latest attacks have been directed toward US-based services and industries, including emergency services, medical, finance, construction, and agriculture, according to BlackBerry.

“This particular threat group [infiltrates] a victim organization’s network, [steals] any valuable data it found, then would unleash ‘Onyx ransomware,’ their own branded creation based on Chaos Builder v4.0,” researchers said – something researchers were able to verify with sample tests that showed a 98% code match to a test sample generated via Chaos v4.0. The only changes were a customized ransom note and a refined list of file extensions. Read more:

You can also read this: Microsoft Warns Rise in XorDdos Malware Targeting Linux Devices

Leave a Reply

Your email address will not be published. Required fields are marked *