SYMBOLCOMMON_NAMEaka. SYNONYMS
win.chaos (Back to overview)

Chaos

aka: FakeRyuk, RyukJoke, Yashma

In-development ransomware family which was released in June 2021 by an unknown threat actor. The builder initially claimed to be a "Ryuk .Net Ransomware Builder" even though it was completely unrelated to the Ryuk malware family. Presently it appears to contain trojan-like features, but lacks features commonly found in ransomware such as data exfiltration.

References
2023-08-07Cisco TalosChetan Raghuprasad
New threat actor targets Bulgaria, China, Vietnam and other countries with customized Yashma ransomware
Chaos
2023-04-13OALabsSergei Frankoff
Quasar Chaos: Open Source Ransomware Meets Open Source RAT
Chaos Quasar RAT
2023-02-02K7 SecurityVigneshwaran P
Ransomed by Warlock Dark Army “OFFICIALS”
Chaos
2023-01-01ThreatMonSeyit Sigirci (@h3xecute), ThreatMon Malware Research Team
Chaos Unleashed: a Technical Analysis of a Novel Ransomware
Chaos
2022-06-09Bleeping ComputerLawrence Abrams
Roblox Game Pass store used to sell ransomware decryptor
Chaos
2022-05-24BlackberryThe BlackBerry Research & Intelligence Team
Yashma Ransomware, Tracing the Chaos Family Tree
Chaos
2022-05-17FortinetGergely Revay, Shunichi Imano
Chaos Ransomware Variant Sides with Russia
Chaos
2022-04-28Twitter (@vinopaljiri)Jiří Vinopal
#ONYX Ransomware is based on #Chaos Ransomware Builderv4
Chaos
2022-02-14Brian Stadnicki
Chaos ransomware v4
Chaos
2022-01-17QualysBajrang Mane
The Chaos Ransomware Can Be Ravaging
Chaos
2021-10-28FortinetFred Gutierrez, Shunichi Imano
Chaos Ransomware Variant in Fake Minecraft Alt List Brings Destruction to Japanese Gamers
Chaos
2021-08-10Trend MicroDon Ovid Ladores, Monte de Jesus
Chaos Ransomware: A Proof of Concept With Potentially Dangerous Applications
Chaos
2021-06-14Marco Ramilli's BlogMarco Ramilli
The Allegedly Ryuk Ransomware builder: #RyukJoke
Chaos
Yara Rules
[TLP:WHITE] win_chaos_w0 (20221007 | Detects Ransomware Built by Chaos Ransomware Builder)
import "pe"    

rule win_chaos_w0 {            
    meta:
        description = "Detects Ransomware Built by Chaos Ransomware Builder"
        author = "BlackBerry Threat Research"
        date = "2022-05-10"
        source = "https://blogs.blackberry.com/en/2022/05/yashma-ransomware-tracing-the-chaos-family-tree"
        license = "This Yara rule is provided under the Apache License 2.0 (https://www.apache.org/licenses/LICENSE-2.0) and open to any user or organization, as long as you use it under this license and ensure originator credit in any derivative to The BlackBerry Research & Intelligence Team"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.chaos"
        malpedia_rule_date = "20221007"
        malpedia_hash = ""
        malpedia_version = "20221007"
        malpedia_sharing = "TLP:WHITE"
        
    strings:
        //Ransom References
        $x1 = "Encrypt" ascii wide
        $x2 = "(?:[13]{1}[a-km-zA-HJ-NP-Z1-9]{26,33}|bc1[a-z0-9]{39,59})" ascii wide
        $x3 = "read" ascii wide        

        //Ransom Hex
        $r1 = { 20 76 69 72 75 73 }
        $r2 = { 72 00 61 00 6e 00 73 00 6f 00 6d 00 77 00 61 00 72 00 65 }

        //Shadow Copy Delete
        $z0 = "deleteShadowCopies" ascii wide
        $z1 = "shadowcopy" ascii wide

    condition:
        //PE File
        uint16(0) == 0x5a4d and
        // Must be less than
        filesize < 35KB and
        // Must have exact import hash
        pe.imphash() == "f34d5f2d4577ed6d9ceec516c1f5a744" and
        //Number of sections
        pe.number_of_sections == 3 and
        //These Strings
        ((all of ($x*)) and (1 of ($r*)) and (1 of ($z*)))
}
[TLP:WHITE] win_chaos_w1 (20221007 | Detects Onyx Ransomware build off of Chaos Builder v4)
import "pe"    

rule win_chaos_w1 {          
    meta:
        description = "Detects Onyx Ransomware build off of Chaos Builder v4"
        author = "BlackBerry Threat Research"
        date = "2022-05-10"
        source = "https://blogs.blackberry.com/en/2022/05/yashma-ransomware-tracing-the-chaos-family-tree"
        license = "This Yara rule is provided under the Apache License 2.0 (https://www.apache.org/licenses/LICENSE-2.0) and open to any user or organization, as long as you use it under this license and ensure originator credit in any derivative to The BlackBerry Research & Intelligence Team"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.chaos"
        malpedia_rule_date = "20221007"
        malpedia_hash = ""
        malpedia_version = "20221007"
        malpedia_sharing = "TLP:WHITE"
    
    strings:
        $s1 = "(?:[13]{1}[a-km-zA-HJ-NP-Z1-9]{26,33}|bc1[a-z0-9]{39,59})" wide
        $s2 = "All of your files are currently encrypted by ONYX strain." wide
        $s3 = "Inform your supervisors and stay calm!" wide

    condition:
        //PE File
        uint16(0) == 0x5a4d and
        //Directories
        pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR].size != 0 and
        //All strings
        all of ($s*)
}
[TLP:WHITE] win_chaos_w2 (20221007 | Detects Chaos Ransomware Builder)
import "pe"    

rule win_chaos_w2 {           
    meta:
        description = "Detects Chaos Ransomware Builder"
        author = "BlackBerry Threat Research"
        date = "2022-05-10"
        source = "https://blogs.blackberry.com/en/2022/05/yashma-ransomware-tracing-the-chaos-family-tree"
        license = "This Yara rule is provided under the Apache License 2.0 (https://www.apache.org/licenses/LICENSE-2.0) and open to any user or organization, as long as you use it under this license and ensure originator credit in any derivative to The BlackBerry Research & Intelligence Team"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.chaos"
        malpedia_rule_date = "20221007"
        malpedia_hash = ""
        malpedia_version = "20221007"
        malpedia_sharing = "TLP:WHITE"

    strings:
        $s0 = "1qw0ll8p9m8uezhqhyd" ascii wide
        $s1 = "Chaos Ransomware Builder" ascii wide
        $s2 = "payloadFutureName" ascii wide
        $s3 = "read_it.txt" ascii wide
        $s4 = "encryptedFileExtension" ascii wide

        $x0 = "1098576" ascii wide
        $x1 = "2197152" ascii wide

    condition:
        //PE File
        uint16(0) == 0x5a4d and
        //All strings
        ((all of ($s*)) and (1 of ($x*)))

}
Download all Yara Rules