Chaos Ransomware Operator Gives Up Decryption Tool for Free



The SonicWall CaptureLabs threat research team have been recently tracking ransomware created using the Chaos ransomware builder.  The builder appeared in June 2021 and has been used by many operators to infect victims and demand payment for file retrieval.  The sample we analyzed lead us to a conversation with the operator who freely gave up the decryptor program.

Infection Cycle

Upon initial infection, files on the system are encrypted and given a random filename extension made up of 4 alphanumeric characters:

Figure 1: Encrypted files

hahaha.txt is written to all directories containing encrypted files.  It contains the following message:

Figure 2: Ransom note

The code is written in .NET and easy to decompile using an open source decompiler.

The decompiled code shows a list of target directories:

Figure 3: Targeted directories

It contains a list of file extensions to target:

Figure 4: Targeted file extensions

It disables system recovery modes and deletes shadow copies and system backups:

Figure 5: Disabling system recovery

An image is embedded in the executable file and is base64 encoded:

Figure 6: Image base64 encoded

Figure 7: Converting image from base64

After base64 decoding, the following image is displayed on the desktop background:

Figure 8: Ransom desktop image

The ransom note states “pls write to discord kakoy_to_chel_ on discord”. We contacted the operator on discord and had the following conversation:

Figure 9: Initial conversation with operator contains the following files:

Figure 10: Contents of zip file

It contains the private key for decrypting files:

Figure 11: Private key for decryptor

We ask the operator why they created the malware but their intentions are unclear:

Figure 12: Conversation with operator continued

Figure 13: Asking the operator about their reason for creating the malware

The operator confirms that Chaos ransomware builder was used to create the malware:

Figure 14: The operator confirms the use of the Chaos Ransomware Builder

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: Chaos.RSM(Trojan)

This threat is also detected by SonicWall Capture ATP w/RTDMI and the Capture Client endpoint solutions.


Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.