The Web of Chaos Ransomware

Industries: Agriculture, Construction, Finance, Medical | Level: Tactical | Source: BlackBerry

The BlackBerry research team has explored The influence of Chaos ransomware by reviewing conversations between threat actors associated with Onyx and Chaos ransomware. A user under the account name "ampkcz", alleging to be the author of Chaos ransomware, revealed Onyx was derived from Chaos v4.0 Ransomware Builder. Tracing Chaos ransomware versions, version 4 was observed in the wild since August 2021. Onyx ransomware was first observed in April 2022 with a leak site launched shortly after. Coding similarities between Onyx and Chaos identify a 98% similarity. A new version of Chaos, named Yashma has also been promoted by Chaos ransomware's author as the 6th and the latest version of the malware. Chaos has been observed in the wild since June 2021 and was advertised as Ryuk .NET Builder. Although no relationship with the Wizard Spider threat group or Ryuk was identified, it is likely the threat actor was only utilizing the Ryuk name. Reviews of Chaos Ransomware in its early version stage were "resoundingly negative." The malware iterated quickly with the first version having capabilities more in line with a wiper, with encryption capabilities limited. Ransomware tracking could be made more difficult with attackers following schemes to build their own malware from builders such as Chaos/Yashma and Onyx. Since tracking victims of Chaos ransomware, industries impacted include emergency services, medical, finance, construction, and agriculture.

Anvilogic Use Cases:

• Executable Process from Suspicious Folder
• Registry key added with reg.exe
• New AutoRun Registry Key
• Symbolic OR Hard File Link Created
• Inhibit System Recovery Commands