For a year now, threat actors have been using different versions of the same ransomware builder Chaos to attack governments, corporations and healthcare facilities. Now researchers from Blackberry have connected the dots, painting a picture of a malware that has evolved five times in twelve months.
The clues surfaced during a discussion between a recent victim and the threat group behind Onyx ransomware, taking place on the threat actors leak site, the researchers noted in a new report. The Onyx ransomware group were threatening to publish said victims data to the internet when, in soap opera fashion, a third party entered the chat stating:
Hello this is my very old version of ransomware I updated many thing and it is faster decryptable there is no limit in new version
Onyx was, evidently, just an outdated Chaos build. The proclaimed author of Chaos kindly offered the Onyx group their newest version of Chaos, renamed Yashma.
In case youve already lost track, lets break it down:
## Chaos Started as a Scam
The Chaos authors apparent intent of outing Onyx as a copycat is particularly ironic, the researchers wrote, given the origins of Chaos.
The first version of Chaos began to make rounds on the dark web in June, 2021. Named Ryuk .Net Ransomware Builder v1.0, it was marketed as a builder for the famous Ryuk ransomware family. It even sported Ryuk branding on its user interface.
Being associated with such a big name yielded attention from reverse-engineers, cybersecurity researchers and cybercriminals alike. But nobody could find any real links between this builder and the real Ryuk ransomware, or the Wizard Spider group behind it. Clearly Ryuk .Net Ransomware Builder v1.0 was a fraud, and the response to this ham-handed tactic was so negative, noted Blackberrys researchers, that it prompted the threats creator to drop the Ryuk pretense and quickly rebrand its new creation as Chaos.’
## How Chaos Has Evolved
Shortly after its rebrand, the author behind Chaos worked to distinguish their builder. Chaos 2.0 was more refined than its initial version, generating more advanced ransomware samples that could:
* Delete shadow copies
* Delete backup catalogs
* Disable Windows recovery mode
But Chaos was still more a destructor than a ransomware, because it lacked any mechanism for file recovery, even if a ransom was paid. That bug was fixed less than a month later, in Chaos version 3.0.
The next upgrade, 4.0, was in the wild for months before it gained notoriety in April, 2022, thanks to the ransomware group Onyx. Onyx would infiltrate enterprise networks, steal valuable data, then drop their Onyx ransomware. This malware was really just a knock-off of Chaos 4.0, though. When Blackberry analyzed samples of both, they found a 98% overlap.Read More