Family tree

It's not often that we get to observe the 'behind-the-scenes' drama that can accompany the creation of new malware. One such glimpse gave us new insights ...

This version of Chaos encrypts victim files with AES-256, and then appends a key to the end of each file to signify they’ve been encrypted. This makes tracking ransomware attacks attributed to Chaos quite difficult, as Indicators of Compromise (IOCs) can change with each sample a malware builder produces. The ransom note for Onyx (seen below in Figure 12) gave the address, login and password credentials that enabled the victim to logon and engage in a discussion with the threat actors behind the ransomware attack. When a file is encrypted by this newer version of Chaos, it appends an “Encryption Key” to the beginning of every encrypted file, as shown in Figure 8. In all versions of Chaos Ransomware Builder, the default note stays relatively unchanged, and it includes references to the Bitcoin wallet of the apparent creator of this threat. The Onyx group simply customized their ransom note and created a refined list of file extensions they wished to target. However, this version of the malware will still overwrite files greater than 1MB in a similar fashion to its predecessors, leaving them unrecoverable. It also (deceptively) continues to call itself ransomware, although the actual functionality remained that of a file-wiper. Though Chaos ransomware builder has only been in the wild for a year, Yashma claims to be the sixth version (v6.0) of this malware. The new malware generated by this initial “ransomware builder” was quite basic, and it lacked a lot of functionality expected from a typical piece of ransomware. Because the original contents of the files are lost during this process (seen in Figure 4), recovery is not possible, thus making Chaos a wiper rather than true ransomware. By claiming to be Ryuk, the dark web promotion of this builder sparked much analysis and research activity by the wider cybersecurity and reverse-engineering communities.