New Chaos Malware Ditches Wiper variant for encryption
The Chaos malware generator, which climbed like a windshield wiper from the subterranean darkness nearly a year ago, has changed shape with a rebranded Yashma binary that incorporates full-fledged ransomware capabilities.
That’s according to BlackBerry researchers, who say chaos is becoming a significant threat to businesses of all sizes.
Chaos began life last June pretending to be a builder for a .NET version of Ryuk ransomware — a ruse its operators leaned hard into, even using the Ryuk branding on its user interface. However, an analysis by Trend Micro at the time showed that the binaries created with this initial release shared very little legacy with the well-known ransomware villain. Instead, the sample was “closer to a destructive Trojan horse than traditional ransomware”, the company noted – mostly overwriting files and rendering them unrecoverable.
BlackBerry researchers noted the same thing. Rather than using Ryuk’s AES/RSA-256 encryption process, “the initial edition of Chaos overwrites the targeted file with a random Base64 string,” according to BlackBerry’s new report. “Because the original contents of the files are lost during this process, recovery is not possible, thus making Chaos a windshield wiper rather than an actual ransomware.”
After putting the builder on underground forums and getting a lot of snark and flak from other Dark Web dwellers for hijacking the Ryuk brand, the group consequently named themselves Chaos. The malware also quickly went through several different versions, each with incremental changes that gave it more and more true ransomware capabilities. However, the wiper functionality persisted through version four.
“Based on the forums, the original ransomware was allegedly developed by a solo author,” Ismael Valenzuela, vice president of research and threat intelligence at BlackBerry’s cybersecurity business unit, told Dark Reading. . “This author seems new to the ransomware scene, asking for feedback, bug reports, and feature requests, and early versions lacked basic features, such as multi-threading, that are common in many other ransomware.”
Chaos targets over 100 default file extensions for encryption and also has a list of files it avoids targeting, including .DLL, .EXE, .LNK and .INI – presumably to avoid crashing the device of a victim by locking system files.
In each folder affected by malware, it drops ransom note as “read_it.txt”.
“This option is highly customizable across all builder iterations, giving malware operators the flexibility to include any text they wish as a ransom note,” according to BlackBerry’s analysis. “In all versions of Chaos Ransomware Builder, the default rating remains relatively unchanged and includes references to the Bitcoin wallet of the apparent creator of this threat.”
Over time, the malware added more sophisticated features, such as the ability to:
- Delete Shadow Copies
- Delete backup catalogs
- Disable Windows Recovery Mode
- Change the victim’s wallpaper
- Customizable file extension lists
- Better encryption compatibility
- Run at startup
- Remove malware as a different process
- Sleep before execution
- Disrupt recovery systems
- Spread malware over network connections
- Choose a custom encryption file extension
- Disable Windows Task Manager
Actual encryption capabilities (using AES-256) have only been included since the third version of the malware; even then, the builder could only encrypt files smaller than 1MB. It still acted as a shredder for large files (such as photos or videos).
“The code is written in such a way that the wiper function is certainly not accidental. It is not clear why the authors made this choice,” says Valenzuela. “It is possible that the malware authors made this decision for performance reasons. If the malware was running slowly in a multi-GB directory of videos or database files, there is a small chance that the notices and can turn off the device.”
Chaos, version 4: “Onyx” ransomware, still with wiper
Although Chaos Builder version 4 was released late last year, it received a boost when a threat group named Onyx created its own ransomware with it last month. This build has quickly become the most common Chaos edition directly seen in the wild today, according to the firm. Notably, while the ransomware has been enhanced to be able to encrypt slightly larger files – up to 2.1MB – larger files are still overwritten and destroyed.
The latest attacks have been directed at US-based services and industries, including emergency services, medicine, finance, construction and agriculture, according to BlackBerry.
“This particular threat group [infiltrates] the network of a victims’ organization, [steals] any valuable data it found would then trigger “Onyx ransomware”, their own trademark creation based on Chaos Builder v4.0,” the researchers said – which the researchers were able to verify with sample tests that have showed a 98% code match with a test sample generated via Chaos v4.0 The only changes were a personalized ransom note and a refined list of file extensions.
Onyx also set up a leak site called “Onyx News” hosted on the Tor network, with information about its victims and stolen data publicly available. The site is also used to give victims more information on how to recover their data.
“The best advice we could offer to companies [targeted with the Onyx wiper] is to maintain regular backups, which are stored separately, and not pay the ransom because most of their files are not recoverable due to their design,” says Valenzuela. “Again, proper incident command is paramount, something that is always best planned in advance.”
Chaos wiper runs away with Yashma
In early 2022, Chaos released a fifth version of its builder, which eventually generated ransomware binaries capable of encrypting large files without corrupting them beyond repair.
“Although slower to perform its malicious tasks on the victim device than when it was simply destroying files, the malware ultimately works as intended, with files of all sizes being properly encrypted by the malware and retaining the ability to be restored to their old, unencrypted state,” the researchers note.
A nearly identical sixth iteration soon followed in mid-2022 – renamed Yashma.
“Malware-as-a-service [MaaS] is a popular model nowadays; however, a unique selling point for Chaos is that until the rebranding to Yashma, all versions were free,” notes Valenzuela. “That said, Yashma versions are still only $17, making the ransomware widely accessible.
Yashma incorporates two advancements over the fifth version: the ability to block ransomware from running based on the language set on the victim device and the ability to stop various services.
Regarding the latter, Yashma ends the following:
- Antivirus (AV) Solutions
- Vault services
- Backup Services
- Storage Services
- Remote Desktop Services
Both of these versions have seen little action in the wild to date, which means that Chaos ransomware attacks will more often than not incorporate a destructive erasure dimension. But it’s likely that binaries based on all iterations of the builder will become more common over time.
“What makes Chaos/Yashma dangerous in the future is its flexibility and widespread availability,” the researchers noted in the report. “As the malware is initially sold and distributed as malware creator, any malicious actor who purchases the malware can replicate the actions of the threat group behind Onyx, developing their own ransomware strains and targeting chosen victims.”
Every business is a target
Valenzuela points out that with Chaos, the level of technical expertise required to use it is relatively low, the builder is free, and the steps needed to generate your own binary are simple.
“No organization or industry is immune to this risk,” he said. “Every business should have a good defensive strategy — including a tested, defensible architecture with a combination of technologies that provide coverage for prevention, visibility, and detection, as well as continuous monitoring complemented by up-to-date threat intelligence — to react early in the attack chain.”
Valenzuela adds, “We’ve seen how many businesses were compromised for days or weeks before the ransomware payloads exploded, so being able to respond quickly to threats is paramount to mitigating the impact of these attacks.”