{
	"id": "da086e32-d03a-4eac-ab75-0c203943a3f0",
	"created_at": "2026-04-06T01:31:18.19828Z",
	"updated_at": "2026-04-10T13:11:49.979431Z",
	"deleted_at": null,
	"sha1_hash": "5e798fdbfdc34d4c1baff4a61d3b4371f13a2481",
	"title": "The Chaos Ransomware Can Be Ravaging",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2306438,
	"plain_text": "The Chaos Ransomware Can Be Ravaging\r\nBy Bajrang Mane\r\nPublished: 2022-01-17 · Archived: 2026-04-06 00:32:45 UTC\r\nThe Qualys Research Team has observed a new version of Chaos ransomware in development. This blog reviews\r\nthe malware’s updated functionality as well as its ongoing evolution.\r\nA ransomware builder called Chaos is still actively under development. The fourth version has recently been\r\nobserved being improved, as identified in underground forums as well as code leaks in other community sites.\r\nWhile the builder bills itself as ransomware, its functions are more like wiper malware. Traditional ransomware is\r\nused by attackers to encrypt the victim’s file data and then demand a ransom in exchange for its recovery. In\r\nrecent years widespread examples of ransomware have dominated the threat landscape – and the news headlines –\r\nwith one memorable example being DarkSide Ransomware.\r\nUnlike most ransomware, wipers overwrite or remove the data from the victim’s systems. An example of a well-known wiper is Shamoon/DistTrack, which was observed being used to target Industrial Control Systems, steal\r\ninformation, and then destroy the victim’s systems.\r\nIn our analysis we have seen Chaos encrypting files of less than 2 MB but overwriting larger files with random\r\nbytes. Because of this behavior, we believe it is more accurate to call it a wiper.\r\nA History of Chaos\r\nA Trend Micro provides a summary analysis of the development of Chaos, which was first discovered in June\r\n2021. Since its inception four versions have been observed, the latest iteration in August 2021. Even though it has\r\nnot yet been used for an actual attack, it could be highly disastrous if used in the future.\r\nThe four versions of Chaos described by TrendMicro are:\r\nVersion 1.0; released on 9 June 2021: Replaces file data with random bytes and then encodes it with Base-64. From the outset, it has worming capability, distributing itself to all drives.\r\nVersion 2.0; released on 17 June 2021: Administrative privileges are added, along with the ability to delete\r\nall of the shadow copies.\r\nVersion 3.0; released on 5 July 2021: Includes encryption of files with AES/RSA algorithms, but only files\r\nwith a size less than 1MB.\r\nVersion 4.0; released on 5 August 2021: This latest version has put a limit of 2MB on the files that will be\r\nencrypted.\r\nLooking at all these versions, we can infer that Chaos remains an in-development ransomware builder that may\r\nsoon be offered in an underground market on the Dark Web like other well-known ransomware. There is little\r\nhttps://blog.qualys.com/vulnerabilities-threat-research/2022/01/17/the-chaos-ransomware-can-be-ravaging\r\nPage 1 of 7\n\ndoubt that attackers will continue developing its capabilities – potentially based on feedback from other forum\r\nmembers where it is being staged.\r\nTechnical Details\r\nIn the latest version of Chaos, the new extension given to encrypted/affected files is CRYPTEDPAY, as the\r\nscreenshot below reveals:\r\nFig.1 Encrypted files\r\nHere is a list of extensions targeted by this malware:\r\nFig.2 Extensions supported\r\nFirst, it checks for any other instance already in execution. If yes, then the malware will terminate itself.\r\nIf not already running, it drops a copy at the below location and then executes itself.\r\n“C:\\Users\\\\AppData\\Roaming\\svchost.exe”\r\nNext, it terminates the current process.\r\nThen the newly created process (i.e svchost.exe) searches for all the drives present and starts encrypting them. It\r\nperforms encryption only if the extension of the file is present in the list shown above.\r\nAs the screen below illustrates, it then checks the file size. Files are encrypted with AES only if the file size is less\r\nthan ~2MB. The key used for AES encryption is randomly generated for each file, and the key is then encrypted\r\nhttps://blog.qualys.com/vulnerabilities-threat-research/2022/01/17/the-chaos-ransomware-can-be-ravaging\r\nPage 2 of 7\n\nwith RSA.\r\nFig.3 Code for file size check and encryption\r\nThis RSA-encrypted key is then encoded in Base-64 and kept at the start of the file with the tags\r\n\u003cEncryptedkey\u003e…\u003cEncryptedkey\u003e followed by the encrypted file data.\r\nFig.4 Random bytes generation and encoding\r\nIf the file size is greater than ~2MB and less than ~200MB, random bytes of the length (filesize/4) are generated\r\nand written in the encrypted file in Base-64 encoded format. If the file size is greater than ~200MB, random bytes\r\nhttps://blog.qualys.com/vulnerabilities-threat-research/2022/01/17/the-chaos-ransomware-can-be-ravaging\r\nPage 3 of 7\n\nwith the length greater than ~200MB and less than ~300MB are generated and kept in the file in Base-64 format.\r\nThis makes these files completely useless.\r\nThe attacker then has Chaos drop the ransom note, in each encrypted folder as shown in this screenshot:\r\nFig.5 Ransom note\r\nThe victim’s wallpaper is also changed to:\r\nhttps://blog.qualys.com/vulnerabilities-threat-research/2022/01/17/the-chaos-ransomware-can-be-ravaging\r\nPage 4 of 7\n\nFig.6 Desktop wallpaper set\r\nTo the victim’s dismay, Chaos takes steps to make recovery impossible by deleting shadow copies, backup\r\ncatalog, and disabling windows recovery mode by executing the following commands:\r\n“vssadmin delete shadows /all /quiet \u0026 wmic shadowcopy delete”\r\n“bcdedit /set {default} bootstatuspolicy ignoreallfailures \u0026 bcdedit /set {default} recoveryenabled\r\nno”\r\n“wbadmin delete catalog -quiet”\r\nGiven the rapid and ongoing development of Chaos ransomware’s capabilities, it’s very clear that if this\r\nransomware ever used in cyber-attack, the victims may not be able to recover their important data. Security\r\nprofessionals must take the utmost precaution to protect their organizations from such destructive attackers.\r\nTTP Map:\r\nDiscovery Collection Impact\r\nFile and Directory Discovery\r\n(T1083)\r\nData from Local System\r\n(T1005)\r\nData Encrypted for impact\r\n(T1486)\r\nMitigation or Additional Important Safety Measures:\r\nNetwork\r\nKeep strong and unique passwords for login accounts.\r\nDisable RDP if not used. If required change the RDP port to a non-standard port.\r\nConfigure firewall in the following way,\r\nDeny access to External IPs trying to connect important ports (in this case RDP port 3389)\r\nhttps://blog.qualys.com/vulnerabilities-threat-research/2022/01/17/the-chaos-ransomware-can-be-ravaging\r\nPage 5 of 7\n\nAllow access to only IPs which are under your control.\r\nUse VPN to access the network, instead of exposing RDP to the Internet. Possibility to implement Two\r\nFactor Authentication (2FA).\r\nSet lockout policy which hinders credentials guessing.\r\nCreate a separate network folder for each user when managing access to shared network folders.\r\nTake regular data backup\r\nProtect systems from ransomware by periodically backing up important files regularly and keep a recent\r\nbackup copy offline. Encrypt your backup.\r\nIf your computer gets infected with ransomware, your files can be restored from the offline backup once\r\nthe malware has been removed.\r\nAlways use a combination of online and offline backup.\r\nDo not keep offline backups connected to your system as this data could be encrypted when ransomware\r\nstrike.\r\nKeep software updated\r\nAlways keep your security software (antivirus, firewall, etc.) up to date to protect your computer from new\r\nvariants of malware.\r\nRegularly patch and update applications, software, and operating systems to address any exploitable\r\nsoftware vulnerabilities.\r\nDo not download cracked/pirated software as they risk backdoor entry for malware into your computer.\r\nAvoid downloading software from untrusted P2P or torrent sites. In most cases, they are malicious\r\nsoftware.\r\nHaving minimum required privileges\r\nDo not assign Administrator privileges to users. Most importantly, do not stay logged in as an administrator unless\r\nit is strictly necessary. Also, avoid browsing, opening documents, or other regular work activities while logged in\r\nas an administrator.\r\nIndicators of Compromise (IOCs)\r\n1ba5ab55b7212ba92a9402677e30e45f12d98a98f78cdcf5864a67d6c264d053\r\nb103fc649787eb1f6121df8174d0f16aaac736fb53f5f078d312871189285956\r\n17557537bcb33f2a0ad3ff0caf7b084e63468144b2e6cb8180f6598adfdc5c9a\r\n17557537bcb33f2a0ad3ff0caf7b084e63468144b2e6cb8180f6598adfdc5c9a\r\nContributor\r\nhttps://blog.qualys.com/vulnerabilities-threat-research/2022/01/17/the-chaos-ransomware-can-be-ravaging\r\nPage 6 of 7\n\nGanesh Vetal, Senior Threat Research Engineer, Qualys\r\nSource: https://blog.qualys.com/vulnerabilities-threat-research/2022/01/17/the-chaos-ransomware-can-be-ravaging\r\nhttps://blog.qualys.com/vulnerabilities-threat-research/2022/01/17/the-chaos-ransomware-can-be-ravaging\r\nPage 7 of 7\n\n\u003cEncryptedkey\u003e…\u003cEncryptedkey\u003e Fig.4 Random bytes followed generation by the encrypted and encoding file data.   \nIf the file size is greater than ~2MB and less than ~200MB, random bytes of the length (filesize/4) are generated\nand written in the encrypted file in Base-64 encoded format. If the file size is greater than ~200MB, random bytes\n    Page 3 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.qualys.com/vulnerabilities-threat-research/2022/01/17/the-chaos-ransomware-can-be-ravaging"
	],
	"report_names": [
		"the-chaos-ransomware-can-be-ravaging"
	],
	"threat_actors": [
		{
			"id": "77b28afd-8187-4917-a453-1d5a279cb5e4",
			"created_at": "2022-10-25T15:50:23.768278Z",
			"updated_at": "2026-04-10T02:00:05.266635Z",
			"deleted_at": null,
			"main_name": "Inception",
			"aliases": [
				"Inception Framework",
				"Cloud Atlas"
			],
			"source_name": "MITRE:Inception",
			"tools": [
				"PowerShower",
				"VBShower",
				"LaZagne"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775439078,
	"ts_updated_at": 1775826709,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/5e798fdbfdc34d4c1baff4a61d3b4371f13a2481.pdf",
		"text": "https://archive.orkl.eu/5e798fdbfdc34d4c1baff4a61d3b4371f13a2481.txt",
		"img": "https://archive.orkl.eu/5e798fdbfdc34d4c1baff4a61d3b4371f13a2481.jpg"
	}
}