Chaos Malware: The Amalgam of Ransomware and Wiper


A new strain of malware called Chaos, which is still under active development has been discovered by the security experts. The malware was first spotted in June 2021 and has already gone through four different versions, the most recent of which was released on August 5. 

According to Trend Micro security researcher Monte de Jesus, this rapid growth indicates that the malware may soon be ready for use in real world attacks.

An attacker promoting Chaos malware initially claimed that the malware was a .NET variant of Ryuk ransomware, but the analysis of the malware uncovered that it’s more like a destructive trojan or wiper than traditional ransomware.

“Instead of encrypting files (which could then be decrypted after the target paid the ransom), it replaced the files’ contents with random bytes, after which the files were encoded in Base64. This meant that affected files could no longer be restored, providing victims no incentive to pay the ransom,” de Jesus explained. 

Modus operandi of Chaos Malware 

The first version of Chaos is exceedingly dangerous because of its worming functionality. The malware has the capability to spread to all removable drives on a compromised system. “This could permit the malware to jump onto removable drives and escape from air-gapped systems,” de Jesus said.

After the installation, this first version of Chaos looked for various file paths and extensions to infect, and then it dropped a ransom note which demanded payment of 0.147 BTC, that would be around $6,600.

Chaos 2.0 has the capability to erase volume shadow copies and the backup catalog to prevent recovery, along with disabling Windows recovery mode, but it still did not have the functionality to recover files

“However, version 2.0 still overwrote the files of its targets. Members of the forum where it was posted pointed out that victims wouldn’t pay the ransom if their files couldn’t be restored,” de Jesus added.

In version 3.0, it added encryption to the mix. It could now encrypt files under 1 MB using AES/RSA encryption and feature a decryptor-builder.

The latest version of Chaos was released on August 5, which expanded its encryption feature to files of 2 Mb in size. It also allows operators to append encrypted files with their private extensions. 

According to a recent mid-year report from SonicWall, ransomware has been growing with a rapid pace in 2021, with global attack volume increasing in the first half of the year compared to the same period the previous year. 

“In our view, the Chaos ransomware builder is still far from being a finished product since it lacks features that many modern ransomware families possess, such as the ability to collect data from victims that could be used for further blackmail if the ransom is not paid. In the hands of a malicious actor who has access to malware distribution and deployment infrastructure, it could cause great damage to organizations,” de Jesus concluded.