Ransomware - Chaos v3.0

Chaos v3.0
Description

Note: This page is dedicated to the Chaos v3.0 ransomware builder and does not reflect any encryptors created from the builder.

Note: This is the second iteration of the Chaos ransomware builder series. For preliminary information, see the Chaos v1.0 and Chaos v2.0 entries.

Note: A decryptor exists for Chaos v3.0 through Yashma. See below.

 

The Chaos v3.0 builder is similar to Chaos v2.0. However, this is the first iteration of Chaos that truly encrypts files instead of only wiping them. Here are the main differences:

  • You have the option to encrypt files or wipe them. If you choose to encrypt files, it will only do so for files 1 MB or less, using AES-256-CBC. All files larger than 1 MB are wiped.
  • The encryption scheme borrows from the open-source Hidden Tear ransomware.
  • Minor tweaks to random data generation.
  • Expanded target files list.
  • Builder comes with a decryptor generator, too.
Ransomware Type
Builder
Crypto-Ransomware
Wiper
Country of Origin
Ukraine
First Seen
Last Seen
Lineage
Chaos v2.0
Threat Actors
Type
Actor
Individual
Vanya Evdokimenko
Alliances & Associations
Type
Alliance/Association
Code Borrowing
Hidden Tear
Extortion Types
Direct Extortion
Pseudo-Extortion
Extortion Amounts
Amount
$1,500
Communication
Medium
Identifier
Email
bomboms123@mail.ru
Email
yourfood20@mail.ru
XSS.is
ryukRans
Encryption
Type
Hybrid
Files
AES-256-CBC
Key
RSA-2048
Additional Encryption
"<EncryptedKey>"[RSA(secret key)]"<EncryptedKey>"[base64(AES encrypted data)]
Crypto Wallets
Blockchain Type
Crypto Wallet
BTC
bc1qlnzcep4l4ac0ttdrq7awxev9ehu465f2vpt9x0
BTC
bc1qw0ll8p9m8uezhqhyd7z459ajrk722yn8c5j4fg
XMR
44wJKzwrzWY7dxLov4EjVia3wmwaj6ige6a8C6eHKXKtVy8PTU3SnCG6A6do3vL4Cu3kLUedKwjomDKe754QhshVJw52xFV
File Extension
<file name>.<file extension>.<4 random alphanumeric characters>
Ransom Note Name
read_it.txt
Ransom Note Image
Chaos3.0-Builder-63e28
Click to enlarge
Samples (SHA-256)
63e28fc93b5843002279fc2ad6fabd9a2bc7f5d2f0b59910bcc447a21673e6c7
a98bc2fcbe8b3c7ea9df3712599a958bae0b689ae29f33ee1848af7a038d518a
Decryptors
Chaos Family Decryptors by Truesec
Analyst1: New Ransomware Turns to Disruption and Sabotage
BlackBerry: Yashma Ransomware, Tracing the Chaos Family Tree
BSides Munich: Alexander Andersson - Cracking the Chaos Ransomware family
Medium: Rakesh Krishnan - CHASING CHAOS RANSOMWARE — Unveiling 2017 Instagram Hack Inci…
Medium: S2W - Anatomy of Chaos Ransomware builder and its origin (feat. Open-source Hid…
Qualys: The Chaos Ransomware Can Be Ravaging
The Crypto-Ransomware Digest: Ryuk.Net, Chaos
The No More Ransom Project: Free Decryptor for the Chaos ransomware [User Manual]
Threatmon: Chaos Unleashed: a Technical Analysis of a Novel Ransomware
Trend Micro: Chaos Ransomware: A Proof of Concept With Potentially Dangerous Applications
Truesec: Cracking the Chaos Ransomware Family
Ransomware Tracker