Chaos Malware Walks Line Between Ransomware and Wiper


Level 85
Thread author
Honorary Member
Top poster
Content Creator
Malware Hunter
Aug 17, 2014
An under-construction malware called Chaos has been spotted, which is being advertised on an underground forum as being available for testing. While it calls itself ransomware, an analysis revealed that it’s actually more of a wiper.

According to Trend Micro researcher Monte de Jesus, Chaos has been around since June, and has already cycled through four different versions, with the last one being released on August 5. This rapid development could mean that it will soon be ready for primetime, but so far it hasn’t been used in actual attacks, he said.

Chaos started out purporting to be a .NET version of the Ryuk ransomware – a ruse it went all in on, complete with Ryuk branding on its GUI. However, de Jesus said that looking under the hood of its first version reveals very little of this supposed heritage. Instead, the sample is “more akin to a destructive trojan than to traditional ransomware,” he noted, in a Tuesday analysis.

He added, “Instead of encrypting files (which could then be decrypted after the target paid the ransom), it replaced the files’ contents with random bytes, after which the files were encoded in Base64. This meant that affected files could no longer be restored, providing victims no incentive to pay the ransom.”

“One of the more interesting functions of Chaos version 1.0 was its worming function, which allowed it to spread to all drives found on an affected system,” de Jesus wrote. “This could permit the malware to jump onto removable drives and escape from air-gapped systems.”