Ransomware Tracker (Entry #214): GhosHacker

Entry: https://www.watchguard.com/wgrd-security-hub/ransomware-tracker/hakuna-matata

Hakuna Matata is a Swahili phrase meaning "there are no worries" (Hakuna = there are no; Matata = worries). It's popularized by the Disney movie The Lion King, performed by Timon and Pumbaa. However, native speakers of Swahili in countries such as Tanzania, Kenya, Uganda, and other neighboring countries seldom use this phrase in everyday conversation. It's more or less reserved for tourists because of The Lion King. In this context, Hakuna Matata is a ransomware builder that produces encryptors with AES-256-CBC and RSA-2048. The builder allows users to create a custom ransom note file name (default = Readme.txt) and message, a name for the process that performs the encryption (default = rundll32.exe), select file extensions, and options to alter the desktop wallpaper for extortion instructions. Additional options are shown in the ransom note image below, which isn't a ransom note image but an image of the builder as a user would see it.

The builder first appeared on the HellOfHackers forum from a user named Hakuna1 on July 7, 2023. Additionally, a user named CmdShell is selling the software for $150 on the underground market, GothamCity. We are uncertain if these are the same users because the CmdShell user created their account in May 2024, almost a year after the builder was publicized. Another user named HeightCoder released the source code on October 5, 2024 (see references) on GitHub, furthering evidence that the CmdShell could be another individual with access to the source code instead of the original author. This user also indicates that this builder is an iteration of Chaos/Yashma, which seems probable considering the similar appearances and behaviors of the encryptors from each of these builders.

All in all, the source code is in the public domain, and users who fall victim to ransomware derived from this builder will undoubtedly have worries. Unlike Chaos 3.0, Chaos 4.0, Yashma, and some variants, Hakuna Matata encryptors have no known decryptor.

Entry: https://www.watchguard.com/wgrd-security-hub/ransomware-tracker/bagli

Bagli is commonly called Bagli Wiper because it doesn't actually encrypt files; it overrides the file's bytes with the Random() function (.NET). Therefore, it's technically not ransomware; it's pseudo-ransomware as a wiper. Although a ransom note—oxu.txt—is dropped that demands a ransom of $350 in Bitcoin, there is no possible way to recover files. The ransom note is in Azerbaijani, and the wiper's creator, ryukRans, spoke primarily Russian on XSS.is (a hacking forum). Therefore, we denoted the user as Azerbaijani with low-to-moderate confidence.

All in all, Bagli isn't a sophisticated or unique wiper. It's most known for being the foundation and beginning ancestry of another popular ransomware builder, Chaos. Due to the builder's open-source nature, Chaos has hundreds of variants. Thankfully, later versions of Chaos have decryptors for most of its creations. The only exceptions are versions 1.0 and 2.0, which are built upon the wiper aspect of Bagli.

Entry: https://www.watchguard.com/wgrd-security-hub/ransomware-tracker/mike-tyson

Mike Tyson ransomware, dubbed "Tyson" for short, is a variant of the Chaos ransomware family and obviously refers to the boxer Mike Tyson. Derivatives of Chaos are created using the Chaos Ransomware builders, of which there are six primary versions (including Yashma, traditionally referred to as version 6). This variant is believed to be from Chaos 5.0, specifically Chaos 5.2. The determination for this is that it can change the desktop wallpaper, which is applicable for only version 4.0 and beyond, and it encrypts files larger than 2 MB external of the C drive; only applicable to versions 5.0 and on. It is not Yashma because the ransom note mimicked the Chaos 5.2 boilerplate text almost verbatim, besides the ransom amount and crypto wallet, and the Yashma note is significantly different in terms of how it's worded. We believe it's specifically version 5.2 because this is the only ransomware builder easily found on GitHub at the time of the creation of this variant - September 2024. For these reasons, we believe Mike Tyson is a one-off Chaos 5.2 derivative likely created for the "lulz." Since we already know the technical details of Chaos 5.2, we copied them below. We've also included the ransom note names, images, and encrypted file names below.