Ransomware - Chaos v4.0

Chaos v4.0

Description

Note: This page is dedicated to the Chaos v4.0 ransomware builder and does not reflect any encryptors created from the builder.

Note: This is the second iteration of the Chaos ransomware builder series. For preliminary information, see the Chaos v1.0, Chaos v2.0, and Chaos v3.0 entries.

Note: A decryptor exists for Chaos v3.0 through Yashma. See below.

The Chaos v4.0 builder expands on the Chaos v3.0 builder with similar functionalities. Here are the main differences:

The encryption algorithm now allows users to encrypt files up to 2 MB instead of 1 MB.
Minor tweaks to random data generation.
The target files list is customizable.
Now includes ransom note and ability to change the desktop wallpaper.

Ransomware Type

Builder

Crypto-Ransomware

Wiper

Country of Origin

Ukraine

First Seen

August 2021

Last Seen

April 2022

Lineage

Threat Actors

Type

Actor

Individual

Vanya Evdokimenko

Alliances & Associations

Type

Alliance/Association

Code Borrowing

Hidden Tear

Extortion Types

Direct Extortion

Pseudo-Extortion

Extortion Amounts

Amount

$1,500

Communication

Medium

Identifier

Email

bomboms123@mail.ru

Email

yourfood20@mail.ru

XSS.is

ryukRans

Encryption

Type

Hybrid

Files

AES-256-CBC

Key

RSA-2048

Additional Encryption

"<EncryptedKey>"[RSA(secret key)]"<EncryptedKey>"[base64(AES encrypted data)]

Crypto Wallets

Blockchain Type

Crypto Wallet

BTC

bc1qlnzcep4l4ac0ttdrq7awxev9ehu465f2vpt9x0

BTC

bc1qw0ll8p9m8uezhqhyd7z459ajrk722yn8c5j4fg

XMR

44wJKzwrzWY7dxLov4EjVia3wmwaj6ige6a8C6eHKXKtVy8PTU3SnCG6A6do3vL4Cu3kLUedKwjomDKe754QhshVJw52xFV

File Extension

<file name>.<file extension>.<4 random alphanumeric characters>

Ransom Note Name

<9 random alphanumeric characters>.jpg

read_it.txt

Ransom Note Image

Chaos4.0-Builder-f2665

Click to enlarge

Samples (SHA-256)

392a3adb44ab2640290f88f751d7608bc66a1c7df845fa1d0baa0aea78ac7a49

f2665f89ba53abd3deb81988c0d5194992214053e77fc89b98b64a31a7504d77

f3432c74402aa36468d6641d5ccc15c1e0ceb083bc0f7e73d2b5dbfa0cfb9974

Decryptors

Chaos Family Decryptors by Truesec

References & Publications(11)

Analyst1: New Ransomware Turns to Disruption and Sabotage

BlackBerry: Yashma Ransomware, Tracing the Chaos Family Tree

BSides Munich: Alexander Andersson - Cracking the Chaos Ransomware family

Medium: Rakesh Krishnan - CHASING CHAOS RANSOMWARE — Unveiling 2017 Instagram Hack Inci…

Medium: S2W - Anatomy of Chaos Ransomware builder and its origin (feat. Open-source Hid…

Qualys: The Chaos Ransomware Can Be Ravaging

The Crypto-Ransomware Digest: Ryuk.Net, Chaos

The No More Ransom Project: Free Decryptor for the Chaos ransomware [User Manual]

Threatmon: Chaos Unleashed: a Technical Analysis of a Novel Ransomware

Trend Micro: Chaos Ransomware: A Proof of Concept With Potentially Dangerous Applications

Truesec: Cracking the Chaos Ransomware Family

Ransomware Tracker