Recently, a new cracked version of Chaos Ransomware builder was leaked on several underground forums and telegram groups in the first weeks of April,2022.

Image 1: Screenshot from an underground forum

Now, when Chaos ransomware was first spotted on such underground forums, it was advertised as the .NET version of the notorious Ryuk ransomware. Due to bad press, the ransomware author decided to remove any “RYUK” branding from its GUI, however, in this variant, we still see some references being made to “RYUK” ransomware.

Image 2: References to RYUK ransomware

This is the fifth iteration of the Chaos Ransomware, so let’s go over important features the author has added.

Image 3: GUI for the builder

The GUI of the builder gives basic options to customize the ransomware. The most basic ones being the ability to change the file extension after encrypting and specify the process name under which the ransomware will run. Looking over at other options, threat actors can add/delete file extensions they want to target.

Image 4: File extensions

Moving on to the Advanced options present in the builder, there are options to disable task manager and the option to delete all volume shadow copies (backup) making it harder to retrieve the encrypted files after the ransomware is executed on the machine.

Image 5: Advanced Options in GUI

AES/RSA encryption algorithm is used for encryption. This algorithm is not suitable for files greater than 1 GB. Even though the binary has a function named AES_Encrypt_Large its functionality is to just delete files more than 1 GB. It overwrites the content with ‘?’ symbol and then deletes it. Victim won’t be able to use file recovery applications, as it was overwritten and then deleted.

Image 6: AES encryption


Image 7: AES_Encrypt_Large

The authors of Chaos “ransomware” have the usual exclusion list for critical files in the C directory so that the machine still functions properly after the infection.

Image 8: checkDirContains function

As we saw earlier, Chaos has the ability to disable Task Manager by modifying the group policy using registry and deleted shadow copies of backups and disables recovery by executing commands (as seen in Image 9,10,11).

Image 9: DisableTaskManager()


Image 10: deleteShadowCopies()


Image 11: disableRecoveryMode()


Since, Chaos has the ability to encrypt files using AES/RSA encryption, it also comes with its own decryptor. A pair of public/private keys along with the decryptor is also dropped.

Image 12: Chaos decrypter

Running the decrypter, it does indeed decrypt the files as seen in image 13 but larger files will not be able to be recovered since they are already overwritten and the original file is deleted.

Image 13: GUI of decrypter

The authors of Chaos ransomware are publishing new iterations every other month. At this stage, Chaos lacks the ability to exfiltrate data but by seeing their progress so far, it is not hard to assume that they would add this functionality in the next variants.

Indicators Of Compromise

Hash Name Detection Name
02A37759BD104561F7730225388526FA Chaos Ransomware v5.2 Riskware ( 0058c5aa1)
de1dd46f1db579b973d83f19b9b56e46 Chaos Ransomware v4 Riskware ( 0058b2cc1 )


Like what you're reading? Subscribe to our top stories.

If you want to subscribe to our monthly newsletter, please submit the form below.

    0 replies on “Bringing Chaos into the world: Chaos Ransomware”