The Chaos ransomware builder started out last year as a buggy and unconvincing impersonation of the notorious Ryuk ransomware kit. It has since gone through active development and rapid improvements that have convinced different attacker groups to adopt it. The latest version, dubbed Yashma, was first observed in the wild in mid-May and contains several enhancements.
One successful ransomware operation known as Onyx hit U.S.-based emergency services, medical facilities and organizations from several other industries over the past year. It uses a variation of the Chaos ransomware, according to security researchers.
“What makes Chaos/Yashma dangerous going forward is its flexibility and its widespread availability,” researchers from BlackBerry said in a new report. “As the malware is initially sold and distributed as a malware builder, any threat actor who purchases the malware can replicate the actions of the threat group behind Onyx, developing their own ransomware strains and targeting chosen victims.”
Chaos ransomware’s humble beginnings and aggressive marketing
The Chaos ransomware builder appeared around June 2021 under the name Ryuk .NET Ransomware Builder v1.0. A builder is a closed-source program that malware authors provide to their customers that allows them to customize the malware and generate a malicious binary with those properties that they can use. This allows different cybercriminal groups that acquired the same malware program to use different command-and-control servers, for example, or to customize their malware for each victim.
Despite the name, the Ryuk .NET Ransomware Builder had nothing to do with the Ryuk ransomware program that infected hundreds of organizations worldwide since 2018. Ryuk is the creation of a group tracked in the security industry as Wizard Spider, which is believed to be responsible for the creation of Ryuk’s successor, called Conti, as well as the TrickBot botnet.
According to the BlackBerry researchers, when the Ryuk .NET Ransomware Builder was first promoted on underground forums, the reception from cybercriminals was negative. Many didn’t appreciate the false advertising using Ryuk’s name, especially since the ransomware created by the builder lacked many features and acted as a file wiper.
The malware targeted over 100 file extensions but was designed to overwrite files with a randomized Base64 string. Unlike encryption, this process is not reversible, so it permanently destroyed the files.
The ransomware author reacted to the negative feedback and starting with version 2 it renamed his builder and ransomware as Chaos. However, it was only from version 3 that the malware gained the ability to encrypt files with the AES and RSA algorithms, but only files smaller than 1MB. This was further increased to files under 2MB in Chaos Builder v4.0, which was released in August along with other improvements and features including the ability to change the victim’s desktop wallpaper to show the ransom note, customizable file-extension lists, graphic user interface for the builder’s users, preventing recovery by deleting Windows file system shadow copies and backup catalogs, as well as disabling WIndows recovery mode.
Onyx cybercriminal group enters the scene
Version 4.0 of Chaos builder was also significant because in April 2022 it was adopted by a cybercriminal group calling itself Onyx, which also implemented the double data leak extortion strategy that’s common with most ransomware gangs these days.
“Unlike the default Chaos ransom note, which provided little in the way of instructions or guidance to affected victims, the group behind Onyx implemented a leak site called ‘Onyx News,’ hosted via an Onion page on the anonymous Tor network,” the BlackBerry researchers said. “Onyx used it to give victims more information on how to recover their data. The ransom note for Onyx gave the address, login and password credentials that enabled the victim to logon and engage in a discussion with the threat actors behind the ransomware attack.”
However, ransomware victims and security researchers quickly found that the Onyx ransomware destroyed files larger than 2MB and that was because of the encryption limitation in the Chaos ransomware with which it shared 98% of its code.
The BlackBerry researchers also came across a conversation between the Onyx gang and one of the victims on the negotiation site where someone claiming to be the creator of the Chaos builder tried to promote the latest version of their ransomware and clarify that it no longer has this 2MB file limitation. The alleged Chaos creator also took the opportunity to confirm that Onyx is based on an older version of his program.
During its short lifespan, the Onyx gang has attacked U.S.-based organizations from the finance, business, medical and agriculture sectors, as well as emergency services. While it’s not clear what the relationship between the Onyx gang and the Chaos creator is, the gang’s success could generate more interest in the Chaos builder from other cybercriminals, especially since the encryption limitations have now been fixed.
A serious problem with the Onyx attacks is that many files are destroyed, which goes against the practices of many ransomware pushers. Even though there have been many exceptions over time, historically most ransomware gangs have delivered on their promise of decrypting files. The likely reason is reputational because they want victims to be able to trust their claims and pay up.
According to Malwarebytes researcher Christopher Boyd, this criminal circle of trust has eroded in recent years because some groups have continued the extortion after being paid. There are also now many more groups engaging in this sort of activity than before and they pop up and disappear quite frequently leaving victims without a solution. Then there’s faulty ransomware like Onyx (Chaos) that makes recovery impossible.
“In 2022, any pretense of expectations or trust from ransomware authors has sailed into the mist, never to return,” Boyd said in a blog post in April. “Ransomware is now too big and too unwieldy to make any real sense of expected operation. What we can expect is for extortion to continue even after the ransom has been paid. As the article notes, a combination of RaaS [ransomware as a service] being fairly short lived and affiliates mostly doing their own thing regardless of main group expectations means it’s pretty much a free for all.”
From Chaos to Yashma
The encryption issue was fixed in Chaos version 5, which was released in early 2022, making the ransomware much slower but able to encrypt all file sizes. This version also added a more refined decryptor and the capability of encrypting files beyond those on the C: drive, making it more dangerous, but its creator wasn’t done.
In May, the ransomware builder was rebranded yet again with the release of version 6, which is now called Yashma. This version added the ability of attackers to configure the ransomware not to run depending on the language set on the victim’s device. This is a technique often used by malware authors to prevent infecting computers in their own country or region, which would attract the interest of local law enforcement. In addition, Yashma can also now stop various services running on victims’ computers including antivirus programs, backup services, storage services, remote desktop services and credential vault services.
There have been few infections with Yashma in the wild so far, but these could easily increase, especially since the builder is easily available on underground forums. There are even leaked versions of it that cybercriminals don’t have to pay for.
“Tracking ransomware attacks attributed to Chaos [is] quite difficult, as indicators of compromise (IOCs) can change with each sample a malware builder produces,” the BlackBerry researchers said. “Additionally, even the most novice threat actors can find links to releases and leaks of this threat on either dark web forums or third-party malware repositories, and then use Chaos/Yashma to carry out future malicious activities.”
The BlackBerry researchers included known indicators of compromise as well as YARA detection rules in their report.