Ransomware - Yashma

Yashma

Aliases

Chaos v6.0

Description

Note: This page is dedicated to the Yashma (Chaos v6.0) ransomware builder and does not reflect any encryptors created from the builder.

Note: This is the second iteration of the Chaos ransomware builder series. For preliminary information, see the Chaos v1.0, Chaos v2.0, Chaos v3.0, Chaos v4.0, and Chaos v5.0 entries.

Note: Two decryptors exist for Yashma, including the original decryptor from Truesec. See below.

The Yashma builder is a fork of the Chaos v5.0 builder with very minor differences. They are:

The encryptors now have a geographic check for CIS countries.
The ability to stop background services.

It is believed that Yashma is a fork of Chaos v5.0 created by Iranian-based threat actors who are different from the original creators of the Chaos ransomware builders. However, based on Rakesh Krishnan's research, these two entities are also believed to have some relationship.

Ransomware Type

Builder

Crypto-Ransomware

Country of Origin

Iran

First Seen

May 2022

Last Seen

May 2022

Lineage

Alliances & Associations

Type

Alliance/Association

Code Borrowing

Hidden Tear

Extortion Types

Direct Extortion

Pseudo-Extortion

Extortion Amounts

Amount

$1,500

Communication

Medium

Identifier

Email

bkhtyaryrwzbh@gmail.com

ICQ Messenger

yashma

Telegram

https://t.me/User99898

Encryption

Type

Hybrid

Files

AES-256-CBC

Key

RSA-2048

Additional Encryption

"<EncryptedKey>"[RSA(secret key)]"<EncryptedKey>"[base64(AES encrypted data)]

File Extension

<file name>.<file extension>.<4 random alphanumeric characters>

Ransom Note Name

<9 random alphanumeric characters>.jpg

read_it.txt

Ransom Note Image

Yashma-Builder-3505f

Click to enlarge

Samples (SHA-256)

e505fe2a77857ac94c657999533631289dc76a1c62c73169232dfcd7a25990a9

f9a5a72ead096594c5d59abe706e3716f6000c3b4ebd7690f2eb114a37d1a7db

Decryptors

Chaos Family Decryptors by Truesec

Yashma decryptor

References & Publications(13)

Analyst1: New Ransomware Turns to Disruption and Sabotage

BlackBerry: Yashma Ransomware, Tracing the Chaos Family Tree

BSides Munich: Alexander Andersson - Cracking the Chaos Ransomware family

CYFIRMA: Yashma Ransomware Report

GitHub: HeightCoder - Yashma Ransomware

Medium: Rakesh Krishnan - CHASING CHAOS RANSOMWARE — Unveiling 2017 Instagram Hack Inci…

Medium: S2W - Anatomy of Chaos Ransomware builder and its origin (feat. Open-source Hid…

Qualys: The Chaos Ransomware Can Be Ravaging

The Crypto-Ransomware Digest: Ryuk.Net, Chaos

The No More Ransom Project: Free Decryptor for the Chaos ransomware [User Manual]

Threatmon: Chaos Unleashed: a Technical Analysis of a Novel Ransomware

Trend Micro: Chaos Ransomware: A Proof of Concept With Potentially Dangerous Applications

Truesec: Cracking the Chaos Ransomware Family

Ransomware Tracker