Threat Database Ransomware Chaos Malware

Chaos Malware

The Chaos Malware is a threat under active development while being offered on underground hacker forums. Infosec researchers who discovered the threat, note that the Chaos Malware is evolving rapidly, and is turning into a potent ransomware threat that could potentially cause a lot of damage if released in the wild. For now, at least, the Chaos Malware hasn’t been used in active attack campaigns. 

Initial Wiper Incarnation

The first version of the Chaos Malware exhibited some peculiar characteristics. The threat was promoted as a variant based on the infamous Ryuk Ransomware, but a look at the underlying code showed clearly that this is simply not true. Furthermore, despite being described as ransomware, this initial version of the threat was more akin to a wiper. It replaced the contents of the affected files with random bytes and then encoded them in Base64. As such, the data is lost technically, and victims had no incentive to pay a ransom to the attackers, which is the main reason for releasing ransomware threats. This version also possessed worm-like capabilities, which allowed it to spread via removable media. The Chaos Malware 1.0 dropped a ransom note inside a file named a ransomware note named 'read_it.txt' and asked for 0.147 BTC (Bitcoin) to be transferred to the attackers. At the current exchange rate of the cryptocurrency, that amounts to more than $6,800. 

Subsequent Versions Show Rapid Evolution

The initial version of the threat was released in June 2021. However, in the next couple of months, infosec researchers would notice three new versions that expanded the capabilities of the Chaos Malware greatly, which brought it more in line with what is expected from a ransomware threat. Version 2.0 saw the threat begin to delete the Shadow Volume Copies and the backup catalog on the compromised systems. It could now also disable the Windows Recover mode. It was still a wiper that overwrote the targeted files, though.

This behavior finally began to change with the 3.0 version, as it introduced AES + RSA encryption for files under 1MB. The latest observed version of the Chaos Malware employs the same combination of the AES and RSA cryptographic algorithms but is capable of locking files under 2MB. It allows for the threat actor to customize the extension used for the encrypted files. The threat also could be instructed to change the default desktop image on the infected systems. 

Related Posts


Most Viewed