loader image

rThreat Adversary Spotlight: Chaos Ransomware

Chaos Malware, also known as Ryuk.net Ransomware Builder is a relatively new ransomware that is still being developed and explored.

Ransomware continues to be one of the most popular threat vectors for hackers and is probably the most profitable type of cyberattack because almost every company would be forced to pay the ransom rather than go without accessing their electronic information for an extended period of time. One of the big innovations in cybersecurity that makes stopping cybercrime so much more difficult is how easy it has become to create malware. Cybercrime groups create what are called ransomware builders, which are essentially software applications that allow users to create their own malware. This means that script kiddies, which are people who have little or no technical knowledge are still able to create highly effective pieces of malware. In this article we will be breaking down an example of this using the ryuk.net ransomware builder and looking at it’s creation called “Chaos.”

How does ryuk.net ransomware builder work?

Not to be confused with the Ryuk Ransomware, ryuk.net is a ransomware builder that is being sold online and can be used by customers to create their own ransomware variants. This tool is designed to assist people that can’t make viruses themselves. Tools like this increase the total number of cybercriminals by removing a barrier of entry also known as technical skill. From the designer’s point of view, creating a ransomware builder means they can make money selling their application and not have to do the work of constantly hacking into companies (productized service vs a service model) which creates a passive income stream. Also, the user can reduce the chance of getting caught because they aren’t directly hacking any companies. Below we have a screenshot of the GUI of the ransomware builder.


Ransomware Builder GUI

Overview of Chaos Ransomware

At this time we don’t know who built the ransomware builder, but chaos ransomware is one of the ransomware variants that have been created using this tool. Chaosv1 is a bit strange in that it doesn’t actually encrypt user data. What it really does is corrupts files with Base64 encoding to make them look encrypted and then demands a $1,500 BTC ransom to get the information back. Later versions now have the ability to encrypt user data with AES + RSA encryption, acting as normal ransomware would. Based on the payment information, experts are confident that this ransomware is a completely separate project from the Ryuk ransomware found in 2018.

This is the ransom note that is displayed when it’s time for them to elicit payment:


Ransom Note

How has Chaos changed with new versions?

Since Chaos was detected in June, it has cycled through four versions with the last one being released on August 5th. Now one of the reasons that this “ransomware” is so bad is that prior to encoding the files of the computer with base64, it replaces the contents of files with random bytes and then encodes it with base64. This means that even if the victim pays, there is no way to restore the affected files (without good backups). Now this was true at the launch of Chaos, however there are multiple iterations of this ransomware and each one works a little bit differently.

In version 1.0, Chaos has a worm-like function that allows it to jump to all types of drives on the affected machine. According to threatpost, “This could permit the malware to jump onto removable drives and escape from air-gapped systems.” This is found in all iterations of Chaos and is likely to remain no matter how the ransomware evolves because it is highly effective for spreading.

Chaos version 2.0 had more advanced functions that allowed the malware to delete all volume shadow copies, the backup catalog and disable windows recovery mode. This feature was removed in the next version because members of the forum noticed that clients wouldn’t pay if there was no means of recovering their information.

Chaos version 3.0 has the ability to encrypt files under 1MB in size with AES/RSA encryption, meaning that it can function as traditional ransomware. It also has the ability to decrypt itself, giving victims a legitimate reason to consider paying the ransom.

Chaos version 4.0 expands on the encryption capabilities of version 3.0, able to encrypt files up to 2MB in size, operators can add their own extensions to encrypted files and it is capable of changing the victim’s desktop wallpaper.

It’s clear that Chaos is still under construction, which is why we haven’t seen any reported cases of companies being hit with this ransomware yet. However, as it’s still being developed there’s a good chance that it will have new features added on in the near future, meaning that it may become a very dangerous piece of malware as it continues to go through more iterations. However, in its current form it’s important to note that it’s still a formidable threat. Below we have a screenshot of a modified version of MITRE attack framework that highlights all of the attack techniques that are currently used in the malware to compromise a target:



The Importance of Continuous Security Validation

If you want to ensure your company is protected from Chaos and other threats like it, you need to test your cyber defenses on a regular basis. rThreat’s Breach and Attack Emulation platform contains the latest version of Chaos (v4) despite the fact that it was released only earlier this month. Our solution keeps a library of newly released malware that can be used to test your company’s environment and ensure you are protected before you are targeted by the malware in the wild. Our platform not only validates the effectiveness of security tools and processes, but it can also be used to run drills with your security team so they’re trained on how to rapidly detect and respond to this type of ransomware attack. If you would like to try a demo of rThreat’s solution, contact our team here.

Do you want to learn more about cybersecurity? Please subscribe to our newsletter.