Chaos ransomware explained: A rapidly evolving threat | #malware | #ransomware | #education | #technology | #infosec


The Chaos ransomware builder started out last year as a buggy and unconvincing impersonation of the notorious Ryuk ransomware kit. It has since gone through active development and rapid improvements that have convinced different attacker groups to adopt it. The latest version, dubbed Yashma, was first observed in the wild in mid-May and contains several enhancements.

One successful ransomware operation known as Onyx hit U.S.-based emergency services, medical facilities and organizations from several other industries over the past year. It uses a variation of the Chaos ransomware, according to security researchers.

“What makes Chaos/Yashma dangerous going forward is its flexibility and its widespread availability,” researchers from BlackBerry said in a new report. “As the malware is initially sold and distributed as a malware builder, any threat actor who purchases the malware can replicate the actions of the threat group behind Onyx, developing their own ransomware strains and targeting chosen victims.”

Chaos ransomware’s humble beginnings and aggressive marketing

The Chaos ransomware builder appeared around June 2021 under the name Ryuk .NET Ransomware Builder v1.0. A builder is a closed-source program that malware authors provide to their customers that allows them to customize the malware and generate a malicious binary with those properties that they can use. This allows different cybercriminal groups that acquired the same malware program to use different command-and-control servers, for example, or to customize their malware for each victim.

Despite the name, the Ryuk .NET Ransomware Builder had nothing to do with the Ryuk ransomware program that infected hundreds of organizations worldwide since 2018. Ryuk is the creation of a group tracked in the security industry as Wizard Spider, which is believed to be responsible for the creation of Ryuk’s successor, called Conti, as well as the TrickBot botnet.

According to the BlackBerry researchers, when the Ryuk .NET Ransomware Builder was first promoted on underground forums, the reception from cybercriminals was negative. Many didn’t appreciate the false advertising using Ryuk’s name, especially since the ransomware created by the builder lacked many features and acted as a file wiper.

Copyright © 2022 IDG Communications, Inc.


Source link