Ransomware Tracker (Entry #241): Chaos v5.0

Entry: https://www.watchguard.com/wgrd-security-hub/ransomware-tracker/yashma

Note: This page is dedicated to the Yashma (Chaos v6.0) ransomware builder and does not reflect any encryptors created from the builder.

Note: This is the second iteration of the Chaos ransomware builder series. For preliminary information, see the Chaos v1.0, Chaos v2.0, Chaos v3.0, Chaos v4.0, and Chaos v5.0 entries.

Note: Two decryptors exist for Yashma, including the original decryptor from Truesec. See below.

The Yashma builder is a fork of the Chaos v5.0 builder with very minor differences. They are:

• The encryptors now have a geographic check for CIS countries.
• The ability to stop background services.

It is believed that Yashma is a fork of Chaos v5.0 created by Iranian-based threat actors who are different from the original creators of the Chaos ransomware builders. However, based on Rakesh Krishnan's research, these two entities are also believed to have some relationship.

Entry: https://www.watchguard.com/wgrd-security-hub/ransomware-tracker/chaos-v40

Note: This page is dedicated to the Chaos v4.0 ransomware builder and does not reflect any encryptors created from the builder.

Note: This is the second iteration of the Chaos ransomware builder series. For preliminary information, see the Chaos v1.0, Chaos v2.0, and Chaos v3.0 entries.

Note: A decryptor exists for Chaos v3.0 through Yashma. See below.

The Chaos v4.0 builder expands on the Chaos v3.0 builder with similar functionalities. Here are the main differences:

• The encryption algorithm now allows users to encrypt files up to 2 MB instead of 1 MB.
• Minor tweaks to random data generation.
• The target files list is customizable.
• Now includes ransom note and ability to change the desktop wallpaper.

Entry: https://www.watchguard.com/wgrd-security-hub/ransomware-tracker/chaos-v30

Note: This page is dedicated to the Chaos v3.0 ransomware builder and does not reflect any encryptors created from the builder.

Note: This is the second iteration of the Chaos ransomware builder series. For preliminary information, see the Chaos v1.0 and Chaos v2.0 entries.

Note: A decryptor exists for Chaos v3.0 through Yashma. See below.

The Chaos v3.0 builder is similar to Chaos v2.0. However, this is the first iteration of Chaos that truly encrypts files instead of only wiping them. Here are the main differences:

• You have the option to encrypt files or wipe them. If you choose to encrypt files, it will only do so for files 1 MB or less, using AES-256-CBC. All files larger than 1 MB are wiped.
• The encryption scheme borrows from the open-source Hidden Tear ransomware.
• Minor tweaks to random data generation.
• Expanded target files list.
• Builder comes with a decryptor generator, too.