Chaos, an under-construction malware promoted on an underground forum as being available for testing, has been discovered. While it claims to be ransomware, an investigation discovered that it is more of a wiper.
According to Trend Micro researcher Monte de Jesus, Chaos has been around since June and has already cycled through four different versions, the most recent of which was launched on August 5. According to him, this quick development could suggest it’ll be ready for primetime soon, although it hasn’t been used in actual attacks yet.
Chaos first pretended to be a.NET version of the Ryuk ransomware, a fully exploited ploy, complete with Ryuk branding on its GUI. However, looking under the hood of its first version reveals relatively little of this claimed history, according to de Jesus. In a Tuesday examination, he remarked that the sample is “more akin to a destructive trojan than to traditional ransomware.”
“Instead of encrypting files (which could then be decrypted after the target paid the ransom), it replaced the files’ contents with random bytes, after which the files were encoded in Base64. This meant that affected files could no longer be restored, providing victims no incentive to pay the ransom,” he explained.
How does Chaos malware work?
Chaos has a few additional interesting tricks under its sleeve in this version.
“One of the more interesting functions of Chaos version 1.0 was its worming function, which allowed it to spread to all drives found on an affected system. This could permit the malware to jump onto removable drives and escape from air-gapped systems,” noted de Jesus.
This first version of Chaos searched for various file locations and extensions to infect, then dropped a ransomware note named read_it.txt, demanding.147 Bitcoin, which at today’s exchange rate is roughly $6,600.
Meanwhile, the second version added advanced administrator capabilities, the ability to remove all disk shadow copies and the backup catalog, and the ability to disable Windows recovery mode.
“However, version 2.0 still overwrote the files of its targets. Members of the forum where it was posted pointed out that victims wouldn’t pay the ransom if their files couldn’t be restored,” explained de Jesus.
“However, version 2.0 still overwrote the files of its targets. Members of the forum where it was posted pointed out that victims wouldn’t pay the ransom if their files couldn’t be restored,” explained de Jesus.
With version 3.0, Chaos added encryption to the mix, making it more ransomware-like. According to the researcher, this sample could encrypt data under 1 MB using AES/RSA encryption and included a decryptor-builder.
The fourth iteration of Chaos surfaced on the forum in early August, including an enhancement of the AES/RSA encryption feature. Encryption is now possible for files up to 2MB in size.
According to the analysis, operators can attach encrypted files with their own proprietary extensions, just like other ransomware. It also allows them to modify their victims’ desktop wallpaper.
According to a recent report, ransomware has been rising in 2021, with global attack volume growing by 151% in the first half of the year compared to the same period the previous year.
Meanwhile, the FBI has issued a warning that there are now more than 100 different strains of the virus moving around the world.
According to de Jesus, the Chaos “ransomware” is still plainly under construction, so additional versions are likely on the way. It, for example, lacks the data-exfiltration capabilities that almost all major ransomware families now have, allowing for double-extortion attempts — a vulnerability that will almost certainly be remedied.
According to the researcher, chaos is essentially a proof-of-concept malware for the time being, but one that “could be dangerous in the wrong hands” due to its capacity to delete files.
“In the hands of a malicious actor who has access to malware distribution and deployment infrastructure, it could cause great damage to organizations,” he noted.
“In the hands of a malicious actor who has access to malware distribution and deployment infrastructure, it could cause great damage to organizations,” he noted.
