Chaos v2.0
Description
Note: This page is dedicated to the Chaos v2.0 ransomware builder and does not reflect any encryptors created from the builder.
Note: This is the second iteration of the Chaos ransomware builder series. For preliminary information, see the Chaos v1.0 entry.
The Chaos v2.0 builder is similar to Chaos v1.0. It still wipes all the files by overwriting them with randomly generated data. However, it differs in a few subtle ways:
- The builder is officially renamed Chaos Ransomware Builder instead of Ryuk.NET Ransomware Builder.
- The About section in the builder states that the builder creates wiper files, not ransomware, eliminating the "Imitation" aspect.
- Allows users to change the ransom note file name.
- Advanced Options allow users to delay execution time, enforce execution with admin privileges, and delete shadow copies and backup files.
- Tweak how the random data is generated for wiping.
Ransomware Type
Builder
Wiper
Country of Origin
Ukraine
First Seen
Last Seen
Threat Actors
Type
Actor
Individual
Vanya Evdokimenko
Extortion Types
Pseudo-Extortion
Extortion Amounts
Amount
$1,500
Communication
Medium
Identifier
Email
bomboms123@mail.ru
Email
yourfood20@mail.ru
XSS.is
ryukRans
Encryption
Type
Other
Files
"<EncryptedKey>"<31-character random alphanumeric string>"<EncryptedKey> "<2-character random alphanumeric string>
Additional Encryption
Data above is then Base64 encoded
Crypto Wallets
Blockchain Type
Crypto Wallet
BTC
bc1qlnzcep4l4ac0ttdrq7awxev9ehu465f2vpt9x0
BTC
bc1qw0ll8p9m8uezhqhyd7z459ajrk722yn8c5j4fg
XMR
44wJKzwrzWY7dxLov4EjVia3wmwaj6ige6a8C6eHKXKtVy8PTU3SnCG6A6do3vL4Cu3kLUedKwjomDKe754QhshVJw52xFV
Ransom Note Name
read_it.txt
Ransom Note Image
Samples (SHA-256)
325dfac6172cd279715ca8deb280eefe3544090f1583a2ddb5d43fc7fe3029ed
References & Publications(10)
BlackBerry: Yashma Ransomware, Tracing the Chaos Family Tree
BSides Munich: Alexander Andersson - Cracking the Chaos Ransomware family
The Crypto-Ransomware Digest: Ryuk.Net, Chaos
Truesec: Cracking the Chaos Ransomware Family