In-development ransomware family which was released in June 2021 by an unknown threat actor. The builder initially claimed to be a "Ryuk .Net Ransomware Builder" even though it was completely unrelated to the Ryuk malware family. Presently it appears to contain trojan-like features, but lacks features commonly found in ransomware such as data exfiltration.
[TLP:WHITE] win_chaos_w0 (20221007 | Detects Ransomware Built by Chaos Ransomware Builder)
import "pe"
rule win_chaos_w0 {
meta:
description = "Detects Ransomware Built by Chaos Ransomware Builder"
author = "BlackBerry Threat Research"
date = "2022-05-10"
source = "https://blogs.blackberry.com/en/2022/05/yashma-ransomware-tracing-the-chaos-family-tree"
license = "This Yara rule is provided under the Apache License 2.0 (https://www.apache.org/licenses/LICENSE-2.0) and open to any user or organization, as long as you use it under this license and ensure originator credit in any derivative to The BlackBerry Research & Intelligence Team"
malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.chaos"
malpedia_rule_date = "20221007"
malpedia_hash = ""
malpedia_version = "20221007"
malpedia_sharing = "TLP:WHITE"
strings:
//Ransom References
$x1 = "Encrypt" ascii wide
$x2 = "(?:[13]{1}[a-km-zA-HJ-NP-Z1-9]{26,33}|bc1[a-z0-9]{39,59})" ascii wide
$x3 = "read" ascii wide
//Ransom Hex
$r1 = { 20 76 69 72 75 73 }
$r2 = { 72 00 61 00 6e 00 73 00 6f 00 6d 00 77 00 61 00 72 00 65 }
//Shadow Copy Delete
$z0 = "deleteShadowCopies" ascii wide
$z1 = "shadowcopy" ascii wide
condition:
//PE File
uint16(0) == 0x5a4d and
// Must be less than
filesize < 35KB and
// Must have exact import hash
pe.imphash() == "f34d5f2d4577ed6d9ceec516c1f5a744" and
//Number of sections
pe.number_of_sections == 3 and
//These Strings
((all of ($x*)) and (1 of ($r*)) and (1 of ($z*)))
}
[TLP:WHITE] win_chaos_w1 (20221007 | Detects Onyx Ransomware build off of Chaos Builder v4)
import "pe"
rule win_chaos_w1 {
meta:
description = "Detects Onyx Ransomware build off of Chaos Builder v4"
author = "BlackBerry Threat Research"
date = "2022-05-10"
source = "https://blogs.blackberry.com/en/2022/05/yashma-ransomware-tracing-the-chaos-family-tree"
license = "This Yara rule is provided under the Apache License 2.0 (https://www.apache.org/licenses/LICENSE-2.0) and open to any user or organization, as long as you use it under this license and ensure originator credit in any derivative to The BlackBerry Research & Intelligence Team"
malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.chaos"
malpedia_rule_date = "20221007"
malpedia_hash = ""
malpedia_version = "20221007"
malpedia_sharing = "TLP:WHITE"
strings:
$s1 = "(?:[13]{1}[a-km-zA-HJ-NP-Z1-9]{26,33}|bc1[a-z0-9]{39,59})" wide
$s2 = "All of your files are currently encrypted by ONYX strain." wide
$s3 = "Inform your supervisors and stay calm!" wide
condition:
//PE File
uint16(0) == 0x5a4d and
//Directories
pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR].size != 0 and
//All strings
all of ($s*)
}
import "pe"
rule win_chaos_w2 {
meta:
description = "Detects Chaos Ransomware Builder"
author = "BlackBerry Threat Research"
date = "2022-05-10"
source = "https://blogs.blackberry.com/en/2022/05/yashma-ransomware-tracing-the-chaos-family-tree"
license = "This Yara rule is provided under the Apache License 2.0 (https://www.apache.org/licenses/LICENSE-2.0) and open to any user or organization, as long as you use it under this license and ensure originator credit in any derivative to The BlackBerry Research & Intelligence Team"
malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.chaos"
malpedia_rule_date = "20221007"
malpedia_hash = ""
malpedia_version = "20221007"
malpedia_sharing = "TLP:WHITE"
strings:
$s0 = "1qw0ll8p9m8uezhqhyd" ascii wide
$s1 = "Chaos Ransomware Builder" ascii wide
$s2 = "payloadFutureName" ascii wide
$s3 = "read_it.txt" ascii wide
$s4 = "encryptedFileExtension" ascii wide
$x0 = "1098576" ascii wide
$x1 = "2197152" ascii wide
condition:
//PE File
uint16(0) == 0x5a4d and
//All strings
((all of ($s*)) and (1 of ($x*)))
}