Chaos (Malware Family)

Chaos

aka: FakeRyuk, RyukJoke, Yashma

In-development ransomware family which was released in June 2021 by an unknown threat actor. The builder initially claimed to be a "Ryuk .Net Ransomware Builder" even though it was completely unrelated to the Ryuk malware family. Presently it appears to contain trojan-like features, but lacks features commonly found in ransomware such as data exfiltration.

References

2025-07-14 ⋅ Spamhaus ⋅ Spamhaus Malware Labs
Spamhaus Botnet Threat Update January to June 2025
Coper FluBot Hook Joker Mirai AsyncRAT BianLian BumbleBee Chaos Cobalt Strike DanaBot DCRat Havoc Latrodectus NjRAT Quasar RAT RedLine Stealer Remcos Rhadamanthys Sliver ValleyRAT WarmCookie XWorm

2025-06-14 ⋅ K7 Security ⋅ Uma Madasamy
SpectraRansomware
Chaos

2023-08-07 ⋅ Cisco Talos ⋅ Chetan Raghuprasad
New threat actor targets Bulgaria, China, Vietnam and other countries with customized Yashma ransomware
Chaos

2023-04-13 ⋅ OALabs ⋅ Sergei Frankoff
Quasar Chaos: Open Source Ransomware Meets Open Source RAT
Chaos Quasar RAT

2023-02-02 ⋅ K7 Security ⋅ Vigneshwaran P
Ransomed by Warlock Dark Army “OFFICIALS”
Chaos

2023-01-01 ⋅ ThreatMon ⋅ Seyit Sigirci (@h3xecute), ThreatMon Malware Research Team
Chaos Unleashed: a Technical Analysis of a Novel Ransomware
Chaos

2022-06-09 ⋅ Bleeping Computer ⋅ Lawrence Abrams
Roblox Game Pass store used to sell ransomware decryptor
Chaos

2022-05-24 ⋅ Blackberry ⋅ The BlackBerry Research & Intelligence Team
Yashma Ransomware, Tracing the Chaos Family Tree
Chaos

2022-05-17 ⋅ Fortinet ⋅ Gergely Revay, Shunichi Imano
Chaos Ransomware Variant Sides with Russia
Chaos

2022-05-01 ⋅ YouTube (Uriel Kosayev) ⋅ Uriel Kosayev
Yashma Ransomware Builder Analysis - Malware Analysis
Chaos

2022-04-28 ⋅ Twitter (@vinopaljiri) ⋅ Jiří Vinopal
#ONYX Ransomware is based on #Chaos Ransomware Builderv4
Chaos

2022-02-14 ⋅ Brian Stadnicki
Chaos ransomware v4
Chaos

2022-01-17 ⋅ Qualys ⋅ Bajrang Mane
The Chaos Ransomware Can Be Ravaging
Chaos

2021-10-28 ⋅ Fortinet ⋅ Fred Gutierrez, Shunichi Imano
Chaos Ransomware Variant in Fake Minecraft Alt List Brings Destruction to Japanese Gamers
Chaos

2021-08-10 ⋅ Trend Micro ⋅ Don Ovid Ladores, Monte de Jesus
Chaos Ransomware: A Proof of Concept With Potentially Dangerous Applications
Chaos

2021-06-14 ⋅ Marco Ramilli's Blog ⋅ Marco Ramilli
The Allegedly Ryuk Ransomware builder: #RyukJoke
Chaos

Yara Rules

[TLP:WHITE] win_chaos_w0 (20221007 | Detects Ransomware Built by Chaos Ransomware Builder)

import "pe"    

rule win_chaos_w0 {            
    meta:
        description = "Detects Ransomware Built by Chaos Ransomware Builder"
        author = "BlackBerry Threat Research"
        date = "2022-05-10"
        source = "https://blogs.blackberry.com/en/2022/05/yashma-ransomware-tracing-the-chaos-family-tree"
        license = "This Yara rule is provided under the Apache License 2.0 (https://www.apache.org/licenses/LICENSE-2.0) and open to any user or organization, as long as you use it under this license and ensure originator credit in any derivative to The BlackBerry Research & Intelligence Team"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.chaos"
        malpedia_rule_date = "20221007"
        malpedia_hash = ""
        malpedia_version = "20221007"
        malpedia_sharing = "TLP:WHITE"
        
    strings:
        //Ransom References
        $x1 = "Encrypt" ascii wide
        $x2 = "(?:[13]{1}[a-km-zA-HJ-NP-Z1-9]{26,33}|bc1[a-z0-9]{39,59})" ascii wide
        $x3 = "read" ascii wide        

        //Ransom Hex
        $r1 = { 20 76 69 72 75 73 }
        $r2 = { 72 00 61 00 6e 00 73 00 6f 00 6d 00 77 00 61 00 72 00 65 }

        //Shadow Copy Delete
        $z0 = "deleteShadowCopies" ascii wide
        $z1 = "shadowcopy" ascii wide

    condition:
        //PE File
        uint16(0) == 0x5a4d and
        // Must be less than
        filesize < 35KB and
        // Must have exact import hash
        pe.imphash() == "f34d5f2d4577ed6d9ceec516c1f5a744" and
        //Number of sections
        pe.number_of_sections == 3 and
        //These Strings
        ((all of ($x*)) and (1 of ($r*)) and (1 of ($z*)))
}

[TLP:WHITE] win_chaos_w1 (20221007 | Detects Onyx Ransomware build off of Chaos Builder v4)

import "pe"    

rule win_chaos_w1 {          
    meta:
        description = "Detects Onyx Ransomware build off of Chaos Builder v4"
        author = "BlackBerry Threat Research"
        date = "2022-05-10"
        source = "https://blogs.blackberry.com/en/2022/05/yashma-ransomware-tracing-the-chaos-family-tree"
        license = "This Yara rule is provided under the Apache License 2.0 (https://www.apache.org/licenses/LICENSE-2.0) and open to any user or organization, as long as you use it under this license and ensure originator credit in any derivative to The BlackBerry Research & Intelligence Team"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.chaos"
        malpedia_rule_date = "20221007"
        malpedia_hash = ""
        malpedia_version = "20221007"
        malpedia_sharing = "TLP:WHITE"
    
    strings:
        $s1 = "(?:[13]{1}[a-km-zA-HJ-NP-Z1-9]{26,33}|bc1[a-z0-9]{39,59})" wide
        $s2 = "All of your files are currently encrypted by ONYX strain." wide
        $s3 = "Inform your supervisors and stay calm!" wide

    condition:
        //PE File
        uint16(0) == 0x5a4d and
        //Directories
        pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR].size != 0 and
        //All strings
        all of ($s*)
}

[TLP:WHITE] win_chaos_w2 (20221007 | Detects Chaos Ransomware Builder)

import "pe"    

rule win_chaos_w2 {           
    meta:
        description = "Detects Chaos Ransomware Builder"
        author = "BlackBerry Threat Research"
        date = "2022-05-10"
        source = "https://blogs.blackberry.com/en/2022/05/yashma-ransomware-tracing-the-chaos-family-tree"
        license = "This Yara rule is provided under the Apache License 2.0 (https://www.apache.org/licenses/LICENSE-2.0) and open to any user or organization, as long as you use it under this license and ensure originator credit in any derivative to The BlackBerry Research & Intelligence Team"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.chaos"
        malpedia_rule_date = "20221007"
        malpedia_hash = ""
        malpedia_version = "20221007"
        malpedia_sharing = "TLP:WHITE"

    strings:
        $s0 = "1qw0ll8p9m8uezhqhyd" ascii wide
        $s1 = "Chaos Ransomware Builder" ascii wide
        $s2 = "payloadFutureName" ascii wide
        $s3 = "read_it.txt" ascii wide
        $s4 = "encryptedFileExtension" ascii wide

        $x0 = "1098576" ascii wide
        $x1 = "2197152" ascii wide

    condition:
        //PE File
        uint16(0) == 0x5a4d and
        //All strings
        ((all of ($s*)) and (1 of ($x*)))

}

Download all Yara Rules

Chaos Propose Change

References

Yara Rules

Chaos