.png)
1 week ago
2
_Olekcii_Mach_Alamy.png?width=1280&auto=webp&quality=80&format=jpg&disable=upscale "A red computer key with the word \"Ransomware\" written on it in white with a broken padlock on top of it")
Source: Olekcii Mach via Alamy Stock Photo
Chaos ransomware has gotten a significant facelift with an "aggressive" new variant that adds destructive tactics and clipboard hijacking for cryptocurrency theft, as well as other capabilities to bolster its operations for speed and effectiveness.
Researchers from FortiGuard Labs have identified a new version of Chaos ransomware written in C++, the first not written in .NET, they revealed in a report published Wednesday. This evolution also introduces a host of new features that make the ransomware harder to disrupt once it's in execution, as well as more destructive than previous versions.
"This evolution underscores Chaos's shift toward more aggressive methods, amplifying both its operational impact and the financial risk it poses to victims," FortiGuard researcher Yen-Ting Lee wrote in the report.
Specifically, Chaos-C++ adds a new encryption feature that uses a combination of methods rather than full file encryption, including the destruction of very large files by deleting their contents rather than encrypting them.
"This method increases efficiency by reducing processing time and enabling faster attacks across large volumes of data," Lee wrote.
Another key feature of the new variant is "a sophisticated clipboard hijacking mechanism" that switches copied Bitcoin addresses with the attacker's wallet. "This dual strategy of destructive encryption and covert financial theft underscores Chaos' transition into a more aggressive and multifaceted threat designed to maximize financial gain," Lee observed.
Related:Red Hat Hackers Team Up With Scattered Lapsus$ Hunters
Evolving Chaos
Chaos is a ransomware-as-a-service operation that first emerged in July. It is likely comprised of members of the former BlackSuit ransomware gang, according to Cisco Talos, who first profiled the group. The operation specializes in big-game hunting and double-extortion attacks, or attacks in which it both encrypts victim files and exfiltrates data for potential leaking.
The objectives of the new C++ version of Chaos appear to be faster and more successful execution and encryption to achieve financial goals, according to FortiGuard Labs, which provided a detailed technical analysis in its report.
The variant waits 15 seconds after execution to begin enumerating target files, likely to avoid sandbox analysis and decrease chances of detection, Lee said. The enumeration process starts with user directories, such as Desktop, Documents, and Downloads, before expanding its search to other available drives.
It's when the encryption process starts that Chaos-C++ gets very specific and demonstrates new sophistication compared to previous incarnations, Lee explained. Once potential targets are identified, Chaos-C++ evaluates each file based on its size to determine the appropriate action. If files are less than 50MB, they get fully encrypted; between 50B to 1.3GB, they get skipped and left untouched, "possibly to reduce encryption time or avoid detection on large files commonly included in backups," he wrote.
Related:Chinese Gov't Fronts Trick the West to Obtain Cyber Tech
When a file is more than 1.3GB in size, it gets deleted. "This unusual tactic causes irreversible data loss, particularly affecting archives, databases, and backups," Lee wrote.
It's an unusual move, Lee said, because ransomware gangs typically don't delete files since victims can't recover the data and therefore have no incentive to pay. This could jeopardize Chaos's double-extortion strategy if an organization does not see recovering files as incentive.
Crypto-Stealing Capability
The clipboard hijacking capability of Chaos-C++, which was not observed in earlier variants of the ransomware, allows it to redirect Bitcoin payments to attackers.
The feature validates potential Bitcoin addresses by checking their length (26–64 characters) and prefix. Once it identifies a valid address, Chaos-C++ replaces it with a hardcoded attacker-controlled Bech32 Bitcoin wallet.
Related:'Confucius' Cyberspy Evolves From Stealers to Backdoors in Pakistan
The replacement process is implemented via the Windows Clipboard API, where Chaos-C++ copies the attacker's wallet string into the targeted system's memory, clears the clipboard, and then injects the attacker's address using SetClipboardData().
Overall, the feature acts to ensure that "any attempted Bitcoin payment is silently redirected to the attacker, regardless of the intended recipient's identity," Lee wrote. Further, if the victim tries to rescue a wallet, "the transaction might be sent to the attacker by mistake," he added.
Identifying and Defending Against Chaos
The existence of Chaos ransomware and its continued evolution demonstrates how ransomware actors persist and even join forces with new and advanced malware and operations even as law enforcement continues to hunt down and disrupt key players in the threat landscape.
Moreover, given the indications seen in its encryption and accompanying file-deletion strategy, it's possible that in the future Chaos will begin to act "more like a wiper than traditional ransomware," which could be even more devastating to potential victims, Lee noted.
FortiGuard Labs and Fortinet solutions already detect Chaos ransomware samples with the following AV signatures: W64/Filecoder.XM!tr.ransom, W64/Filecoder.MLKGEBH!tr.ransom, and W64/Imps.1!tr.ransom. Other AV solutions also should incorporate these signatures into their service to ensure protection against the new variant.
The report also includes a list of indicators of compromise (IoCs) that defenders can use to detect the presence of the new Chaos variant on their systems.
