Ransomware Tracker (Entry #239): Chaos v3.0

Entry: https://www.watchguard.com/wgrd-security-hub/ransomware-tracker/yashma

Note: This page is dedicated to the Yashma (Chaos v6.0) ransomware builder and does not reflect any encryptors created from the builder.

Note: This is the second iteration of the Chaos ransomware builder series. For preliminary information, see the Chaos v1.0, Chaos v2.0, Chaos v3.0, Chaos v4.0, and Chaos v5.0 entries.

Note: Two decryptors exist for Yashma, including the original decryptor from Truesec. See below.

The Yashma builder is a fork of the Chaos v5.0 builder with very minor differences. They are:

• The encryptors now have a geographic check for CIS countries.
• The ability to stop background services.

It is believed that Yashma is a fork of Chaos v5.0 created by Iranian-based threat actors who are different from the original creators of the Chaos ransomware builders. However, based on Rakesh Krishnan's research, these two entities are also believed to have some relationship.

Entry: https://www.watchguard.com/wgrd-security-hub/ransomware-tracker/chaos-v50

Note: This page is dedicated to the Chaos v5.0 ransomware builder and does not reflect any encryptors created from the builder.

Note: This is the second iteration of the Chaos ransomware builder series. For preliminary information, see the Chaos v1.0, Chaos v2.0, Chaos v3.0, and Chaos v4.0 entries.

Note: A decryptor exists for Chaos v3.0 through Yashma. See below.

The Chaos v5.0 builder expands on the Chaos v4.0 builder with only minor differences. They are:

• The encryption algorithm now allows users to encrypt all files. The source code includes functions for "AES_Encrypt_Large" and "AES_Encrypt_Small."
• Task Manager disabling.
• Random salt generation.
• More granular system checks for encryption algorithms.
• A refined decryptor.

Entry: https://www.watchguard.com/wgrd-security-hub/ransomware-tracker/chaos-v40

Note: This page is dedicated to the Chaos v4.0 ransomware builder and does not reflect any encryptors created from the builder.

Note: This is the second iteration of the Chaos ransomware builder series. For preliminary information, see the Chaos v1.0, Chaos v2.0, and Chaos v3.0 entries.

Note: A decryptor exists for Chaos v3.0 through Yashma. See below.

The Chaos v4.0 builder expands on the Chaos v3.0 builder with similar functionalities. Here are the main differences:

• The encryption algorithm now allows users to encrypt files up to 2 MB instead of 1 MB.
• Minor tweaks to random data generation.
• The target files list is customizable.
• Now includes ransom note and ability to change the desktop wallpaper.