There’s a newly developed malware on the radar of security researchers who believe that it could be released into the wild soon. The malware, which is still under construction, is called Chaos and was spotted in underground ads where it is offered for testing. It is noteworthy that Chaos is advertised as ransomware but analysis shows it’s closer to the characteristics of a wiper.
“Since June 2021, we’ve been monitoring an in-development ransomware builder called Chaos, which is being offered for testing on an underground forum. While it’s purportedly a .NET version of Ryuk, closer examination of the sample reveals that it doesn’t share much with the notorious ransomware,” Trend Micro’s researcher Monte de Jesus wrote in an article.
Related: Beware! Ryuk Ransomware More Vicious with New Worm-Like Capability
Four Different Versions of Chaos Ransomware Observed So Far
It appears that the wiper is in its fourth version, and is more similar to a destructive trojan than traditional ransomware. In terms of its evolution, Jesus says that the process has been developing quite quickly: “Chaos has undergone rapid evolution from its very first version to its current iteration, with version 1.0 having been released on June 9, version 2.0 on June 17, version 3.0 on July 5, and version 4.0 on Aug. 5.”
The first version of Chaos had the Ryuk branding in its GUI, but that’s the only similarity it shared with the infamous ransomware. Instead of file encryption, the first iteration of Chaos replaced files’ contents with random bytes, then encoding them in Base64. Rather than leaving the option for file decryption, Chaos altered files to the point where they could not be restored, leaving victims with no incentive to pay the ransom.
Chaos did display some characteristics reminiscent of ransomware, such as locating certain file paths and locations to infect. It also dropped a ransom note dubbed with the recognizable read_it.txt where it cited a demand for a ransom in Bitcoin.
It is worth mentioning that Chaos version 1.0 also presented a worming function, allowing it to spread to all drives on the compromised system. This function also made it possible for Chaos to reach removable drives and escape from air-gapped systems.
What about version 2.0? Jesus says that the malware still overwrote the files of its targets. However, because their files couldn’t be restored, victims refused to pay the ransom, as evident by forums posts.
Chaos version 3.0 gave the malware the ability to encrypt files under 1MV via AES/RSA, putting it closer to what traditional ransomware usually does. The third version also came with its own decrypter builder.
Chaos version 4.0 expands the AES/RSA encryption by increasing the upper limit of files that can be encrypted to 2 MB. It also enables the users of the ransomware builder to add their own file extensions and change the desktop wallpaper of victims.
Related: Solarmarker: A Multi-Stage, Heavily Obfuscated Backdoor
Trend Micro says it hasn’t seen any active infections or victims of the Chaos ransomware. “However, in the hands of a malicious actor who has access to malware distribution and deployment infrastructure, it could cause great damage to organizations,” the analysis notes.