Chaos Ransomware

What is Chaos Ransomware?

Observed since 2021, Chaos Ransomware has undergone an eventful yet rapid evolution. At its early stage, it branded itself as “Ryuk .Net Ransomware Builder” and mimicked Ryuk ransom notes but actually had little in common with Ryuk. Later it became known as Yashma and was spotted functioning as a wiper, a remote access trojan (RAT) and DDoS botnet (Kaiji variant).

Written in Golang, it targets both Windows and Linux systems across various hardware architectures. Unlike traditional ransomware, Chaos often corrupts files beyond recovery rather than providing a decryption option, making it particularly dangerous.

The malware attacks critical infrastructure sectors like manufacturing, healthcare, and energy, but also is a constant menace to SMEs with limited cybersecurity resources since its low-cost deployment via ransomware-as-a-service (RaaS) models makes it accessible to less sophisticated cybercriminals.

Chaos ransomware employs common yet effective methods to gain initial access to networks:

• Phishing and Social Engineering;
• Exploit Kits and Vulnerabilities (e.g. misconfigured Apache Tomcat servers);
• Malvertising and Compromised Websites (particularly those running outdated CMS versions, e.g.WordPress);
• Remote Code Execution (RCE), often targeting weak authentication protocols or unpatched software;
• Fake Software Updates;
• Trojanized Installers or cracked software (commonly found on torrent sites);
• Post-Exploitation Deployment via tools like Cobalt Strike or remote access trojans (RATs).

Chaos Ransom’s Prominent Features

Chaos is notable for:

• Widespread availability: Chaos as a ransomware builder allows even low-skilled actors create their own variants.
• Fast mutation: the ease of customization leads to countless versions, making signature-based defenses ineffective.
• Dual-purpose use: Chaos can be used both as ransomware and as a wiper, making it appealing for political or destructive campaigns.
• Irrecoverable data loss: early versions destroy files rather than encrypt them.

Once inside, Chaos affiliates use tools like AngryIPScanner, Nmap, or PowerShell to map networks and identify high-value targets for encryption or data exfiltration.

Once deployed, Chaos ransomware follows a typical ransomware kill chain. It ensures persistence by leveraging system startup scripts, such as init.d or systemd, to execute malicious files (e.g., /boot/System.img.config) on boot. Then it encrypts files and may exfiltrate sensitive data for double-extortion tactics. A ransom note is generated, demanding payment in cryptocurrency.

The malware may attempt to disable recovery features and security tools and delete shadow copies. Evasion techniques include code obfuscation, packing and encryption, fileless execution in some versions, and use of legitimate certificates in rare cases. Polymorphism is also important: multiple Chaos builds differ in structure and behavior, frustrating signature-based antivirus tools.

Chaos’s Execution Process and Technical Details

A sample of Chaos ransomware can be thoroughly studied in the safe environment of ANY.RUN’s Interactive Sandbox with its processes, artifacts, and the typical kill chain.

View Chaos in action.

Chaos Ransomware sample in ANY.RUN's Interactive Sandbox

The execution chain of Chaos ransomware typically starts with phishing emails that carry malicious LNK shortcuts. Opening one of these files launches obfuscated PowerShell commands that retrieve a self-extracting archive from a remote server. The archive contains the Chaos ransomware executable together with loaders for additional malware. Once run, Chaos copies itself to a hidden location such as %AppData%\windowsdefender.exe and achieves persistence by placing a shortcut in the Windows Startup folder, guaranteeing execution after every reboot.

Chaos processes graph

After persistence is in place, Chaos spawns a new process to encrypt the victim’s files. It targets specific extensions to maximize damage and uses vssadmin, WMIC, wbadmin, and bcdedit to delete shadow copies and disable other backup mechanisms. By scanning the file system and encrypting valuable data, it effectively blocks the user’s access. Chaos ransomware also changes the desktop wallpaper on the infected system.

When encryption is complete, Chaos may contact its command-and-control (C2) server to upload encryption keys and system details. This channel also delivers ransom-payment instructions and, if the attackers choose, additional payloads or a decryption key once payment is confirmed. Finally, the victim receives a ransom note outlining the steps required to regain access to their data.

What are the best-known Chaos attacks?

• “File Corruption” Campaigns (2021–2022). Many victims reported irrecoverable data loss instead of encryption. These attacks mostly hit small businesses and individuals. Chaos spread widely across forums, affecting users who downloaded pirated software or opened phishing emails.
• Targeting Healthcare & Education Sectors (2022). Chaos ransomware builders were used in several attacks against small hospitals, private schools and colleges, municipal organizations. Systems mostly were rendered unusable even if ransoms were paid.
• CHAOS 4.0 & 5.0 “Actual Encryption” Campaigns. More organized groups began using Chaos as an entry-level extortion tool, but these versions still lacked features of advanced ransomware (like data exfiltration). These versions switched from file destruction to proper AES encryption.

Chaos ransomware is not associated with famous victim names because:

• It’s a ransomware builder, not a specific group’s tool.
• It’s used by script kiddies, lone hackers, and non-sophisticated actors.
• It targets low-hanging fruit, like poorly secured RDP servers or people downloading pirated software.
• Most campaigns are uncoordinated, small-scale, and poorly operationalized.

Gathering Threat Intelligence on Chaos Ransomware

Threat Intelligence plays a key role in detecting and countering Chaos ransomware. IOCs must be gathered to enable monitoring and prevention: IP addresses and domains for C2 servers, file names and hashes.

Start with searching by the malware’s name via Threat Intelligence Lookup to find an assortment of fresh public analyses and harvest IOCs for tuning your security systems.

threatName:"Chaos"

Recent Chaos samples dissected in the sandbox

TI Lookup also provides sandbox reports containing behavioral analysis of Chaos samples. You'll be able to see how the use of vssadmin, bcdedit, and wbadmin to remove backups, overwriting of small files, unusual PowerShell or script activities trigger detection of Chaos variants.

Conclusion

Chaos ransomware is a multifaceted threat that combines ransomware, RAT, and DDoS capabilities. It is a significant risk to diverse industries, particularly those with unpatched systems or sensitive data. Its ability to infiltrate networks via phishing, exploits, and fake updates, coupled with advanced evasion techniques like port-hopping and binary obfuscation, requires robust detection and response strategies.

By leveraging threat intelligence, anomaly-based detection, and proactive countermeasures like Zero Trust and chaos engineering, organizations can mitigate Chaos’s impact.

Employ Threat Intelligence Lookup to counter Chaos: start with 50 test requests.