Note: This page is dedicated to the Chaos v1.0 ransomware builder and does not reflect any encryptors created from the builder.
The Chaos v1.0 builder was first seen in June 2021 when a user named ryukRans on the XSS forum advertised it for the first time using the name Ryuk.NET. They likely chose this name because of the infamous popularity of the Ryuk name that began at the time of this builder's inception. However, after analyzing this builder, and based on various researcher accounts, the encryptors produced from this builder act nothing like Ryuk. In fact, this builder doesn't even produce traditional crypto-ransomware, where files are encrypted using a known encryption algorithm and can be decrypted using a decryption key. The executables from Chaos v1.0 can only wipe files on a victim's computer using an arbitrary data manipulation scheme. The files are wiped using the following schema:
base64("<EncryptedKey>"<31-character random alphanumeric string>"<EncryptedKey> "<2-character random alphanumeric string>)
The schema above roughly translates to: The data in each file begins with "<EncryptedKey>" followed by 31 random characters generated using a pseudo-random number generator (PRNG) and then ending with "<EncryptedKey> ". There is an intentional space after <EncryptedKey>, and two random characters are appended. Finally, that string "<EncryptedKey>"<31-character random alphanumeric string>"<EncryptedKey> "<2-character random alphanumeric string> is base64 encoded. There is no way to recover the data because it is overwritten with other arbitrary random data. This is why we have denoted the Ransomware Type as a Builder, Wiper, and Imitator - it acts as ransomware, but wipes files. It imitates crypto-ransomware. It only took a little over a week before the threat actor came out with another major version: Chaos v2.0, which is also a wiper without the possibility of decryption. It wasn't until Chaos v3.0 that traditional ransomware encryption occurred, which was still limited.
The rest of the behaviors described in this entry occur if a user uses the builder without changing settings; we list the default configurations, such as ransom note name and extortion amounts. The other auxiliary information mainly comes from research from Rakesh Krishnan's deep dive into the Chaos lineage. He uncovered a probable link between a Ukranian national and the threat actor who created the Chaos v1.0 - Chaos v5.0 builders. There is also a link to an Iranian threat actor, which is believed to have created Yashma, a fork of Chaos v5.0.
