{
	"id": "bacafe90-aa00-44ce-8154-2a6fc18e6193",
	"created_at": "2026-04-06T00:17:25.642517Z",
	"updated_at": "2026-04-10T03:19:59.619265Z",
	"deleted_at": null,
	"sha1_hash": "47cc5626b8dbfaf1edd150c7e4973a624b62cddf",
	"title": "Chaos ransomware v4",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 473712,
	"plain_text": "Chaos ransomware v4\r\nBy Brian Stadnicki\r\nPublished: 2022-02-14 · Archived: 2026-04-05 18:51:55 UTC\r\nThe chaos ransomware is fairly new, first appearing in June 2021 as a builder, offered on multiple darknet forums\r\nand marketplaces. It doesn’t appear to have been involved in any significant incidents yet, a few minecraft players\r\ndon’t count. Unsurprisingly therefore, the sample has not had a single transaction to the wallet.\r\nIt isn’t very complicated, as likely a simple proof-of-concept ransomware. Simply a 32bit .NET executable, with\r\nthe ransom wallpaper base64 encoded in and completely unobfuscated with names.\r\nThe execution process is as follows:\r\nMake sure only copy running\r\nIf not running from the temp folder, wait 10 seconds (anti-virus evasion)\r\nIf not running as admin, copy itself to the roaming folder and run\r\nAdd itself to the startup folder\r\nDelete itself, copy itself to the roaming folder and run\r\nhttps://brianstadnicki.github.io/posts/malware-chaos-ransomware-v4/\r\nPage 1 of 3\n\nLook for directories to encrypt (drives other than C:\\ and common user directories)\r\nRecursively encrypt the files with the correct file extension and add a random file extension\r\n2.2mb are AES encrypted\r\nOver 200mb are partly overwritten with random bytes\r\nInbetween are randomly overwritten\r\nWrite a ransom note read_it.txt to the directory\r\nIf running as admin\r\nDelete backups\r\nDisable recovery modes\r\nDelete backup catalog (record of where backups are)\r\nSpread to external drives by copying itself to drives which aren’t C:\\\r\nDrop the ransom message and open in notepad\r\nSet the wallpaper\r\nChange any bitcoin addresses in the clipboard\r\nSample: d9771a04128e50870a96bc7ac8605982205011b723810a04a3411a1ac7eba05d\r\nNames:\r\nsurprise.exe\r\nsvchost.exe\r\nread_it.txt\r\nRansom message:\r\nFirst of all, sorry. It's just business.\r\nAll your files have been encrypted. All your documents are unavailable.\r\nThe encryption was done using a secret key designed by our company.\r\nIn order to decrypt your files you must buy an exclusive key from us.\r\nDo not reset or shutdown - files may be damaged.\r\nDo not rename or move encrypted files - they may be lost forever.\r\nDo not try to delete readme files - files may be damaged.\r\nPlease send $150k in Bitcoin to the following wallet: bc1qp94vpfjgm6z7fvcsa43cymjpyytweqjju9u7dp\r\nIf you do not own Bitcoin yet, we suggest a quick Google search.\r\nAfter 24 hours the payment will double. After 48 hours files will be deleted.\r\nIf you have a proposal within 2 hours you will get a discount, minimizing this tragic event so you can get back\r\nhttps://brianstadnicki.github.io/posts/malware-chaos-ransomware-v4/\r\nPage 2 of 3\n\nPlease contact us via email: sorryitsjustbusiness@protonmail.com\r\nFile extensions infected:\r\n.txt, .jar, .dat, .contact, .settings, .doc, .docx, .xls, .xlsx, .ppt, .pptx, .odt, .jpg, .mka, .mhtml, .oqy, .png, .csv, .py,\r\n.sql, .mdb, .php, .asp, .aspx, .html, .htm, .xml, .psd, .pdf, .xla, .cub, .dae, .indd, .cs, .mp3, .mp4, .dwg, .zip, .rar,\r\n.mov, .rtf, .bmp, .mkv, .avi, .apk, .lnk, .dib, .dic, .dif, .divx, .iso, .7zip, .ace, .arj, .bz2, .cab, .gzip, .lzh, .tar, .jpeg,\r\n.xz, .mpeg, .torrent, .mpg, .core, .pdb, .ico, .pas, .db, .wmv, .swf, .cer, .bak, .backup, .accdb, .bay, .p7c, .exif, .vss,\r\n.raw, .m4a, .wma, .flv, .sie, .sum, .ibank, .wallet, .css, .js, .rb, .crt, .xlsm, .xlsb, .7z, .cpp, .java, .jpe, .ini, .blob,\r\n.wps, .docm, .wav, .3gp, .webm, .m4v, .amv, .m4p, .svg, .ods, .bk, .vdi, .vmdk, .onepkg, .accde, .jsp, .json, .gif,\r\n.log, .gz, .config, .vb, .m1v, .sln, .pst, .obj, .xlam, .djvu, .inc, .cvs, .dbf, .tbi, .wpd, .dot, .dotx, .xltx, .pptm, .potx,\r\n.potm, .pot, .xlw, .xps, .xsd, .xsf, .xsl, .kmz, .accdr, .stm, .accdt, .ppam, .pps, .ppsm, .1cd, .3ds, .3fr, .3g2, .accda,\r\n.accdc, .accdw, .adp, .ai, .ai3, .ai4, .ai5, .ai6, .ai7, .ai8, .arw, .ascx, .asm, .asmx, .avs, .bin, .cfm, .dbx, .dcm, .dcr,\r\n.pict, .rgbe, .dwt, .f4v, .exr, .kwm, .max, .mda, .mde, .mdf, .mdw, .mht, .mpv, .msg, .myi, .nef, .odc, .geo, .swift,\r\n.odm, .odp, .oft, .orf, .pfx, .p12, .pl, .pls, .safe, .tab, .vbs, .xlk, .xlm, .xlt, .xltm, .svgz, .slk, .tar.gz, .dmg, .ps, .psb,\r\n.tif, .rss, .key, .vob, .epsp, .dc3, .iff, .onepkg, .onetoc2, .opt, .p7b, .pam, .r3d\r\nSource: https://brianstadnicki.github.io/posts/malware-chaos-ransomware-v4/\r\nhttps://brianstadnicki.github.io/posts/malware-chaos-ransomware-v4/\r\nPage 3 of 3\n\n.xz, .mpeg, .torrent, .raw, .m4a, .wma, .mpg, .core, .flv, .sie, .sum, .pdb, .ico, .pas, .ibank, .wallet, .db, .wmv, .css, .js, .rb, .swf, .cer, .bak, .crt, .xlsm, .backup, .accdb, .xlsb, .7z, .cpp, .bay, .p7c, .java, .jpe, .ini, .exif, .vss, .blob,\n.wps, .docm, .wav, .3gp, .webm, .m4v, .amv, .m4p, .svg, .ods, .bk, .vdi, .vmdk, .onepkg, .accde, .jsp, .json, .gif,\n.log, .gz, .config, .vb, .m1v, .sln, .pst, .obj, .xlam, .djvu, .inc, .cvs, .dbf, .tbi, .wpd, .dot, .dotx, .xltx, .pptm, .potx,\n.potm, .pot, .xlw, .xps, .xsd, .xsf, .xsl, .kmz, .accdr, .stm, .accdt, .ppam, .pps, .ppsm, .1cd, .3ds, .3fr, .3g2, .accda,\n.accdc, .accdw, .adp, .ai, .ai3, .ai4, .ai5, .ai6, .ai7, .ai8, .arw, .ascx, .asm, .asmx, .avs, .bin, .cfm, .dbx, .dcm, .dcr,\n.pict, .rgbe, .dwt, .f4v, .exr, .kwm, .max, .mda, .mde, .mdf, .mdw, .mht, .mpv, .msg, .myi, .nef, .odc, .geo, .swift,\n.odm, .odp, .oft, .orf, .pfx, .p12, .pl, .pls, .safe, .tab, .vbs, .xlk, .xlm, .xlt, .xltm, .svgz, .slk, .tar.gz, .dmg, .ps, .psb,\n.tif, .rss, .key, .vob, .epsp, .dc3, .iff, .onepkg, .onetoc2, .opt, .p7b, .pam, .r3d   \nSource: https://brianstadnicki.github.io/posts/malware-chaos-ransomware-v4/       \n   Page 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://brianstadnicki.github.io/posts/malware-chaos-ransomware-v4/"
	],
	"report_names": [
		"malware-chaos-ransomware-v4"
	],
	"threat_actors": [],
	"ts_created_at": 1775434645,
	"ts_updated_at": 1775791199,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/47cc5626b8dbfaf1edd150c7e4973a624b62cddf.pdf",
		"text": "https://archive.orkl.eu/47cc5626b8dbfaf1edd150c7e4973a624b62cddf.txt",
		"img": "https://archive.orkl.eu/47cc5626b8dbfaf1edd150c7e4973a624b62cddf.jpg"
	}
}