Ransomware Tracker (Entry #240): Chaos v4.0

Entry: https://www.watchguard.com/wgrd-security-hub/ransomware-tracker/yashma

Note: This page is dedicated to the Yashma (Chaos v6.0) ransomware builder and does not reflect any encryptors created from the builder.

Note: This is the second iteration of the Chaos ransomware builder series. For preliminary information, see the Chaos v1.0, Chaos v2.0, Chaos v3.0, Chaos v4.0, and Chaos v5.0 entries.

Note: Two decryptors exist for Yashma, including the original decryptor from Truesec. See below.

The Yashma builder is a fork of the Chaos v5.0 builder with very minor differences. They are:

• The encryptors now have a geographic check for CIS countries.
• The ability to stop background services.

It is believed that Yashma is a fork of Chaos v5.0 created by Iranian-based threat actors who are different from the original creators of the Chaos ransomware builders. However, based on Rakesh Krishnan's research, these two entities are also believed to have some relationship.

Entry: https://www.watchguard.com/wgrd-security-hub/ransomware-tracker/chaos-v50

Note: This page is dedicated to the Chaos v5.0 ransomware builder and does not reflect any encryptors created from the builder.

Note: This is the second iteration of the Chaos ransomware builder series. For preliminary information, see the Chaos v1.0, Chaos v2.0, Chaos v3.0, and Chaos v4.0 entries.

Note: A decryptor exists for Chaos v3.0 through Yashma. See below.

The Chaos v5.0 builder expands on the Chaos v4.0 builder with only minor differences. They are:

• The encryption algorithm now allows users to encrypt all files. The source code includes functions for "AES_Encrypt_Large" and "AES_Encrypt_Small."
• Task Manager disabling.
• Random salt generation.
• More granular system checks for encryption algorithms.
• A refined decryptor.

Entry: https://www.watchguard.com/wgrd-security-hub/ransomware-tracker/chaos-v30

Note: This page is dedicated to the Chaos v3.0 ransomware builder and does not reflect any encryptors created from the builder.

Note: This is the second iteration of the Chaos ransomware builder series. For preliminary information, see the Chaos v1.0 and Chaos v2.0 entries.

Note: A decryptor exists for Chaos v3.0 through Yashma. See below.

The Chaos v3.0 builder is similar to Chaos v2.0. However, this is the first iteration of Chaos that truly encrypts files instead of only wiping them. Here are the main differences:

• You have the option to encrypt files or wipe them. If you choose to encrypt files, it will only do so for files 1 MB or less, using AES-256-CBC. All files larger than 1 MB are wiped.
• The encryption scheme borrows from the open-source Hidden Tear ransomware.
• Minor tweaks to random data generation.
• Expanded target files list.
• Builder comes with a decryptor generator, too.