A new version of the Chaos ransomware family, renamed “Yashma,” has been unveiled by its creator. And a chance online exchange between a ransomware perpetrator and victim provided us with new information on the origins of Chaos, and the family tree that ties it to both its Onyx and Yashma variants.
The discussion took place on the “official” Onyx ransomware leak site, where someone claiming to be the creator of the Chaos ransomware kit joined an ongoing conversation between the Onyx threat group and a recent victim. The Chaos author made the accusation that Onyx is a mere copycat, constructed with the author’s own Chaos v4.0 Ransomware Builder.
The author then promoted the current version of their Chaos ransomware line, now known as “Yashma.” The Chaos creator’s intent to call out the copycat origins of Onyx is ironic, given how the first version of Chaos originally presented itself as a .Net version of the infamous Ryuk ransomware, complete with Ryuk branding on its graphical user interface (GUI). This tactic had a vastly negative response on the underground forums that prompted the threat’s creator to quickly rebrand this new creation as “Chaos.”
Chaos/Yashma is particularly dangerous because of its flexibility and widespread availability. Distributed as a malware builder, any threat actors that purchase it can develop their own ransomware strains to target their chosen victims. This makes tracking Chaos ransomware attacks extremely difficult, as Indicators of Compromise (IOCs) can change with each sample produced by a malware builder.
See how BlackBerry prevents Yashma attacks in our demo video, which shows BlackBerry® products going head-to-head with a live sample of Yashma.