Chaos Malware under Construction

A malware called Chaos has been spotted, which is being advertised on darkweb as being available for testing. While it calls itself ransomware, an analysis revealed that it’s actually more of a wiper. Chaos has been available, and has already cycled through four different versions.

Chaos started out purporting to be a .NET version of the Ryuk ransomware, its first version reveals very little of this supposed heritage. Instead, the sample is more akin to a destructive trojan than to traditional ransomware

Instead of encrypting files it replaced the files’ contents with random bytes, after which the files were encoded in Base64. This meant that affected files could no longer be restored, providing victims no incentive to pay the ransom. This version has self spreading worm capabilities

First version of Chaos searched for various file paths and extensions to infect, and then dropped a ransomware note named read_it.txt, asking for .147 Bitcoin, which is around $6,600 at today’s exchange rate.

Second version meanwhile added advanced options for administrator privileges, the ability to delete all volume shadow copies and the backup catalog, and the ability to disable Windows recovery mode.

Chaos became more ransomware-ish with version 3.0, when it added encryption to the mix. This sample had the ability to encrypt files under 1 MB using AES/RSA encryption, and featured a decryptor-builder, according to the researcher.

Fourth iteration of Chaos appeared on the forum, with an expansion of the AES/RSA encryption feature. Now, files up to 2MB in size can be encrypted.

Chaos “ransomware” is still clearly under construction, de Jesus noted, so new versions are likely on the horizon. For instance, it lacks the data-exfiltration capabilities that almost all major ransomware families have now to allow for double-extortion attempts an oversight that will likely be remedied.