New Chaos Malware Variant Ditches Wiper for Encryption

New Chaos Malware Variant Ditches Wiper for Encryption
Tara Seals
Managing Editor, News, Dark Reading


The Chaos malware-builder, which climbed up as a wiper from the underground murk nearly a year ago, has shape-shifted with a rebranded binary dubbed Yashma that incorporates fully fledged ransomware capabilities.

That’s according to researchers at BlackBerry, who say that Chaos is on track to become a significant threat to businesses of every size.

Chaos began life last June purporting to be a builder for a .NET version of the Ryuk ransomware – a ruse its operators leaned into hard, even using Ryuk branding on its user interface. However, a Trend Micro analysis at the time showed that binaries created with this initial version shared very little heritage with the well-known ransomware baddie. Instead, the sample was “more akin to a destructive trojan than to traditional ransomware,” the firm noted – mainly overwriting files and rendering them unrecoverable.

Inside the Chaos
Chaos targets more than 100 default file extensions for encryption and also has a list of files it avoids targeting, including .DLL, .EXE, .LNK, and .INI – presumably to prevent crashing a victim’s device by locking up system files.

In each folder affected by the malware, it drops the ransom note as “read_it.txt.”

“This option is highly customizable within all iterations of the builder, giving malware operators the ability to include any text they want as the ransom note,” according to BlackBerry’s analysis. “In all versions of Chaos Ransomware Builder, the default note stays relatively unchanged, and it includes references to the Bitcoin wallet of the apparent creator of this threat.”

Over time, the malware has added more sophisticated capabilities, such as the ability to:

  • Delete shadow copies
  • Delete backup catalogs
  • Disable Windows recovery mode
  • Change the victim’s desktop wallpaper
  • Customizable file-extension lists
  • Better encryption compatibility
  • Run on startup
  • Drop the malware as a different process
  • Sleep prior to execution
  • Disrupt recovery systems
  • Propagate the malware over network connections
  • Choose a custom encryption file-extension
  • Disable the Windows Task Manager
  • Roy Miehe | MspPortal Partners Inc. | Ceo/President

    Security Software Distributor: Bitdefender , Barracuda, RackSpace, Axcient

    “Where Service and Technical Skills Count”