Chaos ransomware is a new malware variant under active development that has been advertised on an underground forum and made available for testing, according to Trend Micro. In a recent blog post describing the new malware variant, Trend Micro security researcher Monte de Jesus explained that the malware first appeared in June 2021 and has already had four different versions released, with the rapid development suggesting the malware may soon be ready for use in real world attacks.
The malware developer or person promoting Chaos ransomware initially claimed the malware was a .NET version of Ryuk ransomware, and while the GUI bore a close resemblance to that of Ryuk, an analysis of the malware uncovered very little in the way of similarities with Ryuk ransomware. The first version of the new malware appeared to be more like a destructive Trojan, capable of wiping data without the option to restore.
Monte de Jesus said his analysis showed Chaos ransomware replaces the contents of files with random bytes then encodes the files in Base64, which means there is no option of recovering data after an attack. The first version of Chaos ransomware dropped a ransom note which demanded payment of 0.147 BTC, which is around $6,600.
The new malware is dangerous, not only due to its destructive properties, but also because of its worming functionality. The malware is capable of spreading across all drives on an infected system. Since the malware would worm its way into removable drives, it would be possible for it to be transferred onto isolated systems, if an infected removable drive is used on an air gapped device.
The second version released had the ability to delete volume shadow copies and the backup catalog to prevent recovery, and also disabled Windows recovery mode, but still did not have the functionality to recover files. The third release did have the ability to encrypt files under 1 MB using AES/RSA encryption, with a decryptor-builder also included. The latest version of Chaos ransomware, released on August 5, 2021, had its encryption options expanded, and would encrypt all files under 2MB in size. The ransomware also supported changes to extensions for encrypted files and allowed users to change the desktop wallpaper on victims’ devices.
The ransomware variant is still under active development and further variants are expected to be released. At present, the ransomware does not have the functionality to exfiltrate data prior to encryption, although that may change with later versions.
“In our view, the Chaos ransomware builder is still far from being a finished product since it lacks features that many modern ransomware families possess, such as the ability to collect data from victims that could be used for further blackmail if the ransom is not paid,” said Monte de Jesus. “In the hands of a malicious actor who has access to malware distribution and deployment infrastructure, it could cause great damage to organizations.”