SYMBOLCOMMON_NAMEaka. SYNONYMS
win.chaos (Back to overview)

Chaos

aka: FakeRyuk, RyukJoke, Yashma

In-development ransomware family which was released in June 2021 by an unknown threat actor. The builder initially claimed to be a "Ryuk .Net Ransomware Builder" even though it was completely unrelated to the Ryuk malware family. Presently it appears to contain trojan-like features, but lacks features commonly found in ransomware such as data exfiltration.

References
2022-06-09Bleeping ComputerLawrence Abrams
@online{abrams:20220609:roblox:19b3f09, author = {Lawrence Abrams}, title = {{Roblox Game Pass store used to sell ransomware decryptor}}, date = {2022-06-09}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/roblox-game-pass-store-used-to-sell-ransomware-decryptor/}, language = {English}, urldate = {2022-06-10} } Roblox Game Pass store used to sell ransomware decryptor
Chaos
2022-05-24BlackberryThe BlackBerry Research & Intelligence Team
@online{team:20220524:yashma:33b80cb, author = {The BlackBerry Research & Intelligence Team}, title = {{Yashma Ransomware, Tracing the Chaos Family Tree}}, date = {2022-05-24}, organization = {Blackberry}, url = {https://blogs.blackberry.com/en/2022/05/yashma-ransomware-tracing-the-chaos-family-tree}, language = {English}, urldate = {2022-05-24} } Yashma Ransomware, Tracing the Chaos Family Tree
Chaos
2022-05-17FortinetGergely Revay, Shunichi Imano
@online{revay:20220517:chaos:9ff6ed3, author = {Gergely Revay and Shunichi Imano}, title = {{Chaos Ransomware Variant Sides with Russia}}, date = {2022-05-17}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/chaos-ransomware-variant-sides-with-russia}, language = {English}, urldate = {2022-05-25} } Chaos Ransomware Variant Sides with Russia
Chaos
2022-04-28Twitter (@vinopaljiri)Jiří Vinopal
@online{vinopal:20220428:onyx:b2312e0, author = {Jiří Vinopal}, title = {{#ONYX Ransomware is based on #Chaos Ransomware Builderv4}}, date = {2022-04-28}, organization = {Twitter (@vinopaljiri)}, url = {https://twitter.com/vinopaljiri/status/1519645742440329216}, language = {English}, urldate = {2022-05-03} } #ONYX Ransomware is based on #Chaos Ransomware Builderv4
Chaos
2022-02-14Brian Stadnicki
@online{stadnicki:20220214:chaos:998b377, author = {Brian Stadnicki}, title = {{Chaos ransomware v4}}, date = {2022-02-14}, url = {https://brianstadnicki.github.io/posts/malware-chaos-ransomware-v4/}, language = {English}, urldate = {2022-03-15} } Chaos ransomware v4
Chaos
2022-01-17QualysBajrang Mane
@online{mane:20220117:chaos:911b0fa, author = {Bajrang Mane}, title = {{The Chaos Ransomware Can Be Ravaging}}, date = {2022-01-17}, organization = {Qualys}, url = {https://blog.qualys.com/vulnerabilities-threat-research/2022/01/17/the-chaos-ransomware-can-be-ravaging}, language = {English}, urldate = {2022-02-04} } The Chaos Ransomware Can Be Ravaging
Chaos
2021-10-28FortinetShunichi Imano, Fred Gutierrez
@online{imano:20211028:chaos:7725fa9, author = {Shunichi Imano and Fred Gutierrez}, title = {{Chaos Ransomware Variant in Fake Minecraft Alt List Brings Destruction to Japanese Gamers}}, date = {2021-10-28}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/chaos-ransomware-variant-in-fake-minecraft-alt-list-brings-destruction}, language = {English}, urldate = {2021-11-03} } Chaos Ransomware Variant in Fake Minecraft Alt List Brings Destruction to Japanese Gamers
Chaos
2021-08-10Trend MicroMonte de Jesus, Don Ovid Ladores
@online{jesus:20210810:chaos:153f943, author = {Monte de Jesus and Don Ovid Ladores}, title = {{Chaos Ransomware: A Proof of Concept With Potentially Dangerous Applications}}, date = {2021-08-10}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/h/chaos-ransomware-a-dangerous-proof-of-concept.html}, language = {English}, urldate = {2021-08-23} } Chaos Ransomware: A Proof of Concept With Potentially Dangerous Applications
Chaos
2021-06-14Marco Ramilli's BlogMarco Ramilli
@online{ramilli:20210614:allegedly:ad3d608, author = {Marco Ramilli}, title = {{The Allegedly Ryuk Ransomware builder: #RyukJoke}}, date = {2021-06-14}, organization = {Marco Ramilli's Blog}, url = {https://marcoramilli.com/2021/06/14/the-allegedly-ryuk-ransomware-builder-ryukjoke/}, language = {English}, urldate = {2021-08-23} } The Allegedly Ryuk Ransomware builder: #RyukJoke
Chaos
Yara Rules
[TLP:WHITE] win_chaos_w0 (20221007 | Detects Ransomware Built by Chaos Ransomware Builder)
import "pe"    

rule win_chaos_w0 {            
    meta:
        description = "Detects Ransomware Built by Chaos Ransomware Builder"
        author = "BlackBerry Threat Research"
        date = "2022-05-10"
        source = "https://blogs.blackberry.com/en/2022/05/yashma-ransomware-tracing-the-chaos-family-tree"
        license = "This Yara rule is provided under the Apache License 2.0 (https://www.apache.org/licenses/LICENSE-2.0) and open to any user or organization, as long as you use it under this license and ensure originator credit in any derivative to The BlackBerry Research & Intelligence Team"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.chaos"
        malpedia_rule_date = "20221007"
        malpedia_hash = ""
        malpedia_version = "20221007"
        malpedia_sharing = "TLP:WHITE"
        
    strings:
        //Ransom References
        $x1 = "Encrypt" ascii wide
        $x2 = "(?:[13]{1}[a-km-zA-HJ-NP-Z1-9]{26,33}|bc1[a-z0-9]{39,59})" ascii wide
        $x3 = "read" ascii wide        

        //Ransom Hex
        $r1 = { 20 76 69 72 75 73 }
        $r2 = { 72 00 61 00 6e 00 73 00 6f 00 6d 00 77 00 61 00 72 00 65 }

        //Shadow Copy Delete
        $z0 = "deleteShadowCopies" ascii wide
        $z1 = "shadowcopy" ascii wide

    condition:
        //PE File
        uint16(0) == 0x5a4d and
        // Must be less than
        filesize < 35KB and
        // Must have exact import hash
        pe.imphash() == "f34d5f2d4577ed6d9ceec516c1f5a744" and
        //Number of sections
        pe.number_of_sections == 3 and
        //These Strings
        ((all of ($x*)) and (1 of ($r*)) and (1 of ($z*)))
}
[TLP:WHITE] win_chaos_w1 (20221007 | Detects Onyx Ransomware build off of Chaos Builder v4)
import "pe"    

rule win_chaos_w1 {          
    meta:
        description = "Detects Onyx Ransomware build off of Chaos Builder v4"
        author = "BlackBerry Threat Research"
        date = "2022-05-10"
        source = "https://blogs.blackberry.com/en/2022/05/yashma-ransomware-tracing-the-chaos-family-tree"
        license = "This Yara rule is provided under the Apache License 2.0 (https://www.apache.org/licenses/LICENSE-2.0) and open to any user or organization, as long as you use it under this license and ensure originator credit in any derivative to The BlackBerry Research & Intelligence Team"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.chaos"
        malpedia_rule_date = "20221007"
        malpedia_hash = ""
        malpedia_version = "20221007"
        malpedia_sharing = "TLP:WHITE"
    
    strings:
        $s1 = "(?:[13]{1}[a-km-zA-HJ-NP-Z1-9]{26,33}|bc1[a-z0-9]{39,59})" wide
        $s2 = "All of your files are currently encrypted by ONYX strain." wide
        $s3 = "Inform your supervisors and stay calm!" wide

    condition:
        //PE File
        uint16(0) == 0x5a4d and
        //Directories
        pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR].size != 0 and
        //All strings
        all of ($s*)
}
[TLP:WHITE] win_chaos_w2 (20221007 | Detects Chaos Ransomware Builder)
import "pe"    

rule win_chaos_w2 {           
    meta:
        description = "Detects Chaos Ransomware Builder"
        author = "BlackBerry Threat Research"
        date = "2022-05-10"
        source = "https://blogs.blackberry.com/en/2022/05/yashma-ransomware-tracing-the-chaos-family-tree"
        license = "This Yara rule is provided under the Apache License 2.0 (https://www.apache.org/licenses/LICENSE-2.0) and open to any user or organization, as long as you use it under this license and ensure originator credit in any derivative to The BlackBerry Research & Intelligence Team"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.chaos"
        malpedia_rule_date = "20221007"
        malpedia_hash = ""
        malpedia_version = "20221007"
        malpedia_sharing = "TLP:WHITE"

    strings:
        $s0 = "1qw0ll8p9m8uezhqhyd" ascii wide
        $s1 = "Chaos Ransomware Builder" ascii wide
        $s2 = "payloadFutureName" ascii wide
        $s3 = "read_it.txt" ascii wide
        $s4 = "encryptedFileExtension" ascii wide

        $x0 = "1098576" ascii wide
        $x1 = "2197152" ascii wide

    condition:
        //PE File
        uint16(0) == 0x5a4d and
        //All strings
        ((all of ($s*)) and (1 of ($x*)))

}
Download all Yara Rules