Ransomware - Chaos v5.0

Chaos v5.0

Description

Note: This page is dedicated to the Chaos v5.0 ransomware builder and does not reflect any encryptors created from the builder.

Note: This is the second iteration of the Chaos ransomware builder series. For preliminary information, see the Chaos v1.0, Chaos v2.0, Chaos v3.0, and Chaos v4.0 entries.

Note: A decryptor exists for Chaos v3.0 through Yashma. See below.

The Chaos v5.0 builder expands on the Chaos v4.0 builder with only minor differences. They are:

The encryption algorithm now allows users to encrypt all files. The source code includes functions for "AES_Encrypt_Large" and "AES_Encrypt_Small."
Task Manager disabling.
Random salt generation.
More granular system checks for encryption algorithms.
A refined decryptor.

Ransomware Type

Builder

Crypto-Ransomware

Country of Origin

Ukraine

First Seen

April 2022

Last Seen

May 2022

Lineage

Threat Actors

Type

Actor

Individual

Vanya Evdokimenko

Alliances & Associations

Type

Alliance/Association

Code Borrowing

Hidden Tear

Extortion Types

Direct Extortion

Pseudo-Extortion

Extortion Amounts

Amount

$1,500

Communication

Medium

Identifier

Email

bomboms123@mail.ru

Email

yourfood20@mail.ru

XSS.is

ryukRans

Encryption

Type

Hybrid

Files

AES-256-CBC

Key

RSA-2048

Additional Encryption

"<EncryptedKey>"[RSA(secret key)]"<EncryptedKey>"[base64(AES encrypted data)]

Crypto Wallets

Blockchain Type

Crypto Wallet

BTC

bc1qlnzcep4l4ac0ttdrq7awxev9ehu465f2vpt9x0

BTC

bc1qw0ll8p9m8uezhqhyd7z459ajrk722yn8c5j4fg

XMR

44wJKzwrzWY7dxLov4EjVia3wmwaj6ige6a8C6eHKXKtVy8PTU3SnCG6A6do3vL4Cu3kLUedKwjomDKe754QhshVJw52xFV

File Extension

<file name>.<file extension>.<4 random alphanumeric characters>

Ransom Note Name

<9 random alphanumeric characters>.jpg

read_it.txt

Ransom Note Image

Chaos5.0-Builder-SourceCode

Click to enlarge

Samples (SHA-256)

38adb3e1431726978b41a80227f22159fddfaeed174ddd2d569e6de4177d3589

6562f92ba9d4784bf30e87681e538e0f7b8eff26811ace6be8970b0a8e3e3ca0

Decryptors

Chaos Family Decryptors by Truesec

References & Publications(12)

Analyst1: New Ransomware Turns to Disruption and Sabotage

BlackBerry: Yashma Ransomware, Tracing the Chaos Family Tree

BSides Munich: Alexander Andersson - Cracking the Chaos Ransomware family

GitHub: HeightCoder - Chaos Ransomware Builder

Medium: Rakesh Krishnan - CHASING CHAOS RANSOMWARE — Unveiling 2017 Instagram Hack Inci…

Medium: S2W - Anatomy of Chaos Ransomware builder and its origin (feat. Open-source Hid…

Qualys: The Chaos Ransomware Can Be Ravaging

The Crypto-Ransomware Digest: Ryuk.Net, Chaos

The No More Ransom Project: Free Decryptor for the Chaos ransomware [User Manual]

Threatmon: Chaos Unleashed: a Technical Analysis of a Novel Ransomware

Trend Micro: Chaos Ransomware: A Proof of Concept With Potentially Dangerous Applications

Truesec: Cracking the Chaos Ransomware Family

Ransomware Tracker