[BreachExchange] Chaos Malware: The Amalgam of Ransomware and Wiper

Sophia Kingsbury sophia.kingsbury at riskbasedsecurity.com
Wed Aug 18 11:04:57 EDT 2021


https://www.ehackingnews.com/2021/08/chaos-malware-amalgam-of-ransomware-and.html

A new strain of malware called Chaos, which is still under active
development has been discovered by the security experts. The malware was
first spotted in June 2021 and has already gone through four different
versions, the most recent of which was released on August 5.

According to Trend Micro security researcher Monte de Jesus, this rapid
growth indicates that the malware may soon be ready for use in real world
attacks.

An attacker promoting Chaos malware initially claimed that the malware was
a .NET variant of Ryuk ransomware, but the analysis of the malware
uncovered that it’s more like a destructive trojan or wiper than
traditional ransomware.

“Instead of encrypting files (which could then be decrypted after the
target paid the ransom), it replaced the files’ contents with random bytes,
after which the files were encoded in Base64. This meant that affected
files could no longer be restored, providing victims no incentive to pay
the ransom,” de Jesus explained.

Modus operandi of Chaos Malware

The first version of Chaos is exceedingly dangerous because of its worming
functionality. The malware has the capability to spread to all removable
drives on a compromised system. “This could permit the malware to jump onto
removable drives and escape from air-gapped systems,” de Jesus said.

After the installation, this first version of Chaos looked for various file
paths and extensions to infect, and then it dropped a ransom note which
demanded payment of 0.147 BTC, that would be around $6,600.

Chaos 2.0 has the capability to erase volume shadow copies and the backup
catalog to prevent recovery, along with disabling Windows recovery mode,
but it still did not have the functionality to recover files

“However, version 2.0 still overwrote the files of its targets. Members of
the forum where it was posted pointed out that victims wouldn’t pay the
ransom if their files couldn’t be restored,” de Jesus added.

In version 3.0, it added encryption to the mix. It could now encrypt files
under 1 MB using AES/RSA encryption and feature a decryptor-builder.

The latest version of Chaos was released on August 5, which expanded its
encryption feature to files of 2 Mb in size. It also allows operators to
append encrypted files with their private extensions.

According to a recent mid-year report from SonicWall, ransomware has been
growing with a rapid pace in 2021, with global attack volume increasing in
the first half of the year compared to the same period the previous year.

“In our view, the Chaos ransomware builder is still far from being a
finished product since it lacks features that many modern ransomware
families possess, such as the ability to collect data from victims that
could be used for further blackmail if the ransom is not paid. In the hands
of a malicious actor who has access to malware distribution and deployment
infrastructure, it could cause great damage to organizations,” de Jesus
concluded.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210818/19beb862/attachment.html>


More information about the BreachExchange mailing list