A new strand of malware known as Chaos was spotted on an underground forum. The malware is advertised as ransomware and is still in development. It has been developed since June, available for testing now, and could be ready to hit the wild soon.
Called Chaos, it was first spotted in June and has already gone through four versions, according to security researcher Monte de Jesus. Chaos hasn’t been used in actual attacks yet.
It was initially said Chaos was a .NET version of Ryuk ransomware. However, according to the security researcher, this sample inherited very little from Ryuk and is more like a destructive trojan or wiper than traditional ransomware.
Instead of encrypting files, it replaces their contents with random bytes and then encoded in Base64, which means that they could not be restored even if the victims paid the ransom.
One of the most interesting features of the Chaos 1.0 release was its worming function, which allowed it to spread to all removable drives on an affected system. “This could permit the malware to jump onto removable drives and escape from air-gapped systems,” de Jesus said.
This first version of Chaos tried to infect various files and extensions and left a ransomware note, which demanded .147 Bitcoin.
The second version included a number of new advanced features, such as the ability to add administrator privileges, disable Windows recovery, and delete all volume shadow copies and the backup catalog.
“However, version 2.0 still overwrote the files of its targets,” de Jesus said in an analysis. “Members of the forum where it was posted pointed out that victims wouldn’t pay the ransom if their files couldn’t be restored.”
In version 3.0, the company added encryption. It could now encrypt files under 1 MB using AES/RSA encryption and featured a decryptor.
In early August, the fourth version of Chaos was released, which expanded its encryption feature to files of 2 Mb in size. It also allows operators to append encrypted files with their private extensions.
The Chaos ransomware is still in its early stages, and new versions are likely to be released in the near future. Among its shortcomings, the researcher cites its lack of data-exfiltration capabilities.
For now, Chaos is a proof-of-concept malware that can wipe out all files in an infected system.
“In the hands of a malicious actor who has access to malware distribution and deployment infrastructure, it could cause great damage to organizations,” de Jesus concluded.