{
	"id": "b3b7ebaf-b951-44ee-8425-180e281edde7",
	"created_at": "2026-04-06T00:10:10.049152Z",
	"updated_at": "2026-04-10T03:22:12.85005Z",
	"deleted_at": null,
	"sha1_hash": "5e125831b690a7d3f609f3328feb5c606337de70",
	"title": "Chaos Ransomware: A Proof of Concept With Potentially Dangerous Applications",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 527080,
	"plain_text": "Chaos Ransomware: A Proof of Concept With Potentially Dangerous\r\nApplications\r\nBy By: Monte de Jesus, Don Ovid Ladores Aug 10, 2021 Read time: 3 min (853 words)\r\nPublished: 2021-08-10 · Archived: 2026-04-05 16:08:57 UTC\r\nRansomware\r\nSince June 2021, we’ve been monitoring an in-development ransomware builder called Chaos, which is being offered for\r\ntesting on an underground forum.\r\nSince June 2021, we’ve been monitoring an in-development ransomware builder called Chaos, which is being offered for\r\ntesting on an underground forum. While it’s purportedly a .NET version of Ryuk, closer examination of the sample reveals\r\nthat it doesn’t share much with the notorious ransomware. In fact, early versions of Chaos, which is now in its fourth\r\niteration, were more akin to a destructive trojan than to traditional ransomware.\r\nIn this blog entry, we take a look at some of the characteristics of the Chaos ransomware builder and how its iterations added\r\nnew capabilities.\r\nEvolution of the Chaos ransomware builder\r\nChaos has undergone rapid evolution from its very first version to its current iteration, with version 1.0 having been released\r\non June 9, version 2.0 on June 17, version 3.0 on July 5, and version 4.0 on Aug. 5.\r\nFigure 1. The GUI of Chaos version 1.0\r\nThe most notable characteristic of the first version of the Chaos builder was that, despite having the Ryuk branding in its\r\nGUI, it had little in common with the ransomware. In fact, it wasn’t even traditional ransomware, but rather a destructive\r\ntrojan. Instead of encrypting files (which could then be decrypted after the target paid the ransom), it replaced the files’\r\ncontents with random bytes, after which the files were encoded in Base64. This meant that affected files could no longer be\r\nrestored, providing victims no incentive to pay the ransom.\r\nIt did, however, display certain characteristics found in other ransomware families. For example, it searched the following\r\nfile paths and extensions to infect:\r\n\\\\Contacts\r\n\\\\Desktop\r\n\\\\Desktop\r\n\\\\Documents\r\n\\\\Downloads\r\n\\\\Favorites\r\n\\\\Links\r\n\\\\Music\r\nhttps://www.trendmicro.com/en_us/research/21/h/chaos-ransomware-a-dangerous-proof-of-concept.html\r\nPage 1 of 6\n\n\\\\OneDrive\r\n\\\\Pictures\r\n\\\\Saved Games\r\n\\\\Searches\r\n\\\\Videos\r\n.3gp\r\n.7z\r\n.7-zip\r\n.accdb\r\n.ace\r\n.amv\r\n.apk\r\n.arj\r\n.asp\r\n.aspx\r\n.avi\r\n.backup\r\n.bak\r\n.bay\r\n.bk\r\n.blob\r\n.bmp\r\n.bz2\r\n.cab\r\n.cer\r\n.contact\r\n.core\r\n.cpp\r\n.crt\r\n.cs\r\n.css\r\n.csv\r\n.dat\r\n.db\r\n.dll\r\n.doc\r\n.docm\r\n.docx\r\n.dwg\r\n.exif\r\n.flv\r\n.gzip\r\n.htm\r\n.html\r\n.ibank\r\n.ico\r\n.ini\r\n.iso\r\n.jar\r\n.java\r\n.jpe\r\n.jpeg\r\n.jpg\r\n.js\r\n.json\r\n.jsp\r\n.lnk\r\n.lzh\r\n.m4a\r\n.m4p\r\n.m4v\r\n.mdb\r\n.mkv\r\nhttps://www.trendmicro.com/en_us/research/21/h/chaos-ransomware-a-dangerous-proof-of-concept.html\r\nPage 2 of 6\n\n.mov\r\n.mp3\r\n.mp3\r\n.mp3\r\n.mp4\r\n.mpeg\r\n.mpg\r\n.ods\r\n.odt\r\n.p7c\r\n.pas\r\n.pdb\r\n.pdf\r\n.php\r\n.png\r\n.ppt\r\n.pptx\r\n.psd\r\n.py\r\n.rar\r\n.rb\r\n.rtf\r\n.settings\r\n.sie\r\n.sql\r\n.sum\r\n.svg\r\n.tar\r\n.txt\r\n.vdi\r\n.vmdk\r\n.wallet\r\n.wav\r\n.webm\r\n.wma\r\n.wmv\r\n.wps\r\n.xls\r\n.xlsb\r\n.xlsm\r\n.xlsx\r\n.xml\r\n.xz\r\n.zip\r\nIt then dropped a ransomware note named read_it.txt, with a demand for a rather sizeable ransom in bitcoin.\r\nFigure 2. A ransom note dropped by Chaos\r\nOne of the more interesting functions of Chaos version 1.0 was its worming function, which allowed it to spread to all drives\r\nfound on an affected system. This could permit the malware to jump onto removable drives and escape from air-gapped\r\nsystems.\r\nhttps://www.trendmicro.com/en_us/research/21/h/chaos-ransomware-a-dangerous-proof-of-concept.html\r\nPage 3 of 6\n\nFigure 3. Code showing the worming function\r\nThe second version of Chaos added advanced options for administrator privileges, the ability to delete all volume shadow\r\ncopies and the backup catalog, and the ability to disable Windows recovery mode.\r\nHowever, version 2.0 still overwrote the files of its targets. Members of the forum where it was posted pointed out that\r\nvictims wouldn’t pay the ransom if their files couldn’t be restored.\r\nFigure 4. The GUI of Chaos version 2.0\r\nWith version 3.0, the Chaos ransomware builder gained the ability to encrypt files under 1 MB using AES/RSA encryption,\r\nmaking it more in line with traditional ransomware. It also came with its own decrypter builder.\r\nFigure 5. The GUI of Chaos version 3.0\r\nhttps://www.trendmicro.com/en_us/research/21/h/chaos-ransomware-a-dangerous-proof-of-concept.html\r\nPage 4 of 6\n\nFigure 6. The advanced options for Chaos version 3.0, including the option to encrypt files via the AES/RSA\r\nmethod and the decrypter builder function\r\nThe fourth iteration of Chaos expands the AES/RSA encryption by increasing the upper limit of files that can be encrypted\r\nto 2 MB. In addition, it gives the ransomware builder’s users the ability to add their own extensions to affected files and the\r\nability to change the desktop wallpaper of their victims.\r\nFigure 7. The advanced options for Chaos version 4.0, including the option to change desktop wallpapers\r\nA proof of concept that could be dangerous in the wrong hands\r\nWe haven’t seen any active infections or victims of the Chaos ransomware. However, in the hands of a malicious actor who\r\nhas access to malware distribution and deployment infrastructure, it could cause great damage to organizations.\r\nIn our view, the Chaos ransomware builder is still far from being a finished product since it lacks features that many modern\r\nransomware families possess, such as the ability to collect data from victims that could be used for further blackmail if the\r\nransom is not paid.\r\nIndicators of compromise\r\nThe following are the hashes and our detections for the different Chaos ransomware builder versions:\r\nSHA-256 Detection TrendX detection\r\nhttps://www.trendmicro.com/en_us/research/21/h/chaos-ransomware-a-dangerous-proof-of-concept.html\r\nPage 5 of 6\n\n0d8b4a07e91e02335f600332644e8f0e504f75ab19899a58b2c85ecb0887c738 Trojan.MSIL.FAKERYUKBUILD.THFAFBA N/A\r\n325dfac6172cd279715ca8deb280eefe3544090f1583a2ddb5d43fc7fe3029ed Trojan.MSIL.FAKERYUKBUILDER.AA Ransom.Win32.TRX\r\n63e28fc93b5843002279fc2ad6fabd9a2bc7f5d2f0b59910bcc447a21673e6c7 Trojan.MSIL.FAKERYUKBUILDER.AA Ransom.Win32.TRX\r\nf2665f89ba53abd3deb81988c0d5194992214053e77fc89b98b64a31a7504d77 Trojan.MSIL.FAKERYUKBUILD.THFAFBA N/A\r\nWe also proactively detect the following components:\r\nDetection Note\r\nRansom.MSIL.CHAOSBUILDER.SMYPBHET Chaos ransomware builder and decrypter\r\nRansom.MSIL.CHAOS.SMYPBHET Main Chaos ransomware executable\r\nPUA.MSIL.CHAOS.SMYPBHET.decryptor Chaos ransomware decrypter\r\nTags\r\nSource: https://www.trendmicro.com/en_us/research/21/h/chaos-ransomware-a-dangerous-proof-of-concept.html\r\nhttps://www.trendmicro.com/en_us/research/21/h/chaos-ransomware-a-dangerous-proof-of-concept.html\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.trendmicro.com/en_us/research/21/h/chaos-ransomware-a-dangerous-proof-of-concept.html"
	],
	"report_names": [
		"chaos-ransomware-a-dangerous-proof-of-concept.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434210,
	"ts_updated_at": 1775791332,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/5e125831b690a7d3f609f3328feb5c606337de70.pdf",
		"text": "https://archive.orkl.eu/5e125831b690a7d3f609f3328feb5c606337de70.txt",
		"img": "https://archive.orkl.eu/5e125831b690a7d3f609f3328feb5c606337de70.jpg"
	}
}