A slip-up by a malware author has allowed researchers to taxonomize three ransomware variations going by different names.
For a year now, threat actors have been using different versions of the same ransomware builder – “Chaos” – to attack governments, corporations and healthcare facilities. Now researchers from Blackberry have connected the dots, painting a picture of a malware that has evolved five times in twelve months.
“The clues surfaced during a discussion between a recent victim and the threat group behind Onyx ransomware, taking place on the threat actor’s leak site,” the researchers noted in a new report. The Onyx ransomware group were threatening to publish said victim’s data to the internet when, in soap opera fashion, a third party entered the chat stating:
“Hello… this is my very old version of ransomware… I updated many thing and it is faster decryptable… there is no limit in new version…”
Onyx was, evidently, just an outdated Chaos build. The proclaimed author of Chaos kindly offered the Onyx group their newest version of Chaos, renamed “Yashma.”
In case you’ve already lost track, let’s break it down:
Chaos Started as a Scam
“The Chaos author’s apparent intent of ‘outing’ Onyx as a copycat is particularly ironic,” the researchers wrote, “given the origins of Chaos.”
The first version of Chaos began to make rounds on the dark web in June, 2021. Named “Ryuk .Net Ransomware Builder v1.0,” it was marketed as a builder for the famous Ryuk ransomware family. It even sported Ryuk branding on its user interface.
Being associated with such a big name yielded attention from reverse-engineers, cybersecurity researchers and cybercriminals alike. But nobody could find any real links between this builder and the real Ryuk ransomware, or the Wizard Spider group behind it. Clearly Ryuk .Net Ransomware Builder v1.0 was a fraud, and “the response to this ham-handed tactic was so negative,” noted Blackberry’s researchers, that “it prompted the threat’s creator to drop the Ryuk pretense and quickly rebrand its new creation as ‘Chaos.’”
How Chaos Has Evolved
Shortly after its rebrand, the author behind Chaos worked to distinguish their builder. Chaos 2.0 was “more refined” than its initial version, “generating more advanced ransomware samples” that could:
- Delete shadow copies
- Delete backup catalogs
- Disable Windows recovery mode
But Chaos was still more a destructor than a ransomware, because it lacked any mechanism for file recovery, even if a ransom was paid. That bug was fixed less than a month later, in Chaos version 3.0.
The next upgrade, 4.0, was in the wild for months before it gained notoriety in April, 2022, thanks to the ransomware group “Onyx.” Onyx would infiltrate enterprise networks, steal valuable data, then drop their “Onyx ransomware.” This malware was really just a knock-off of Chaos 4.0, though. When Blackberry analyzed samples of both, they found a 98% overlap.