{
	"id": "a2385146-d95e-4827-92fb-198bc622482a",
	"created_at": "2026-04-06T00:19:22.807177Z",
	"updated_at": "2026-04-10T03:20:39.319459Z",
	"deleted_at": null,
	"sha1_hash": "a612dbab2bee420c546fa32a49abd1da094e9bc3",
	"title": "Chaos Ransomware Variant Sides with Russia | FortiGuard Labs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 65075,
	"plain_text": "Chaos Ransomware Variant Sides with Russia | FortiGuard Labs\r\nPublished: 2022-05-18 · Archived: 2026-04-05 16:52:52 UTC\r\nSince the beginning of the ongoing Russia-Ukraine War, some ransomware and hacking groups have publicly\r\ndeclared which side they are on. Such actions have created tension internally within the threat actor groups as it\r\nhas caused dissension, and externally, as organizations fear being targeted due to the political nature of the war.\r\nOne notable example is the Conti RaaS (Ransomware-as-a-Service) that officially announced in February 2022\r\nthat they are backing Russia and would use their arsenal against critical infrastructures that belong to the West.\r\nFear spread quickly as many organizations around the globe had been victimized by the Conti group in the past,\r\nwith stolen data exposed and critical files being encrypted. However, the Conti group was bitten back soon after\r\nthe announcement was made. An allegedly unhappy Conti insider took the matter in their hands and leaked\r\nConti’s internal chat logs to the public.\r\nOn the other side of the debate, the LockBit ransomware group made it clear that they will not involve themselves\r\nin the political war because of the multinational nature of its developers and affiliates.\r\nIn this vein, FortiGuard Labs recently came across a variant of the Chaos ransomware that appears to side with\r\nRussia. This blog explains the vicious consequences that the Chaos variant delivers to a compromised machine.\r\nAffected Platforms: Windows\r\nImpacted Parties: Windows users\r\nImpact: Potential loss of files\r\nSeverity Level: Medium\r\nTechnical Details\r\nA GUI-based Chaos ransomware builder is known to be available that can easily customize the malware according\r\nto a set of options. FortiGuard Labs recently discovered a sample of malware that seems to have been created\r\nusing this builder. Unfortunately, how the malware arrives on a victim’s machine is unknown. However, given the\r\npolitical stance of the malware (the blog will cover this later), the malware likely arrives either via forum posts or\r\nemails focused on the current Russia-Ukraine war.\r\nOnce the malware runs, it enumerates the files on all drives. For files smaller than 2,117,152 bytes, it generates a\r\nrandom 20-character long password for each file and then encrypts it with AES-256 (CBC-SALTED). Each\r\nencrypted file contains an RSA encrypted password with a hardcoded public key + base64 encoded AES\r\nencrypted file content. The malware also adds a ‘fuckazov’ file extension to the affected files. Figure 1 shows the\r\ncontent of an encrypted file. “azov” may be a reference to the Azov Battalion who put up a fierce fight against\r\nRussian military forces in the Azovstal steel plant in Mariupol, Ukraine.\r\nFor files larger than 2,117,152 bytes, the malware fills them with random bytes, making file recovery impossible\r\nwithout backup. The affected files also have 'fuckazov’ as a file extension.\r\nhttps://www.fortinet.com/blog/threat-research/chaos-ransomware-variant-sides-with-russia\r\nPage 1 of 5\n\nFor the C: drive, the malware searches for files in the following directories and either encrypts or fills them with\r\nrandom data depending on the file size and adds a ‘fuckazov’ file extension.\r\n\"\\\\Desktop\"; \"\\\\Links\"; \"\\\\Contacts\"; \"\\\\Desktop\"; \"\\\\Documents\"; \"\\\\Downloads\"; \"\\\\Pictures\"; \"\\\\Music\";\r\n\"\\\\OneDrive\"; \"\\\\Saved Games\"; \"\\\\Favorites\"; \"\\\\Searches\"; \\\\Videos.\r\nIts malware activities are typical of recent Chaos ransomware variants. Like most ransomware, it displays a\r\nmessage in “stop_propaganda.txt”. However, things get a bit interesting from here as it displays the following\r\nmessage:\r\nStop Ukraine War! F**k Zelensky! Dont go die for f**king clown!    \r\nYou can see the truth here:    \r\nt.me/[removed]    \r\n[removed].ru\r\nAs seen in Figure 2, there is no ransom demand nor any information on how the victim can reach out to the\r\nattacker. The links on the message leads to a Russian Web page, created in April 2022, with what appears to be\r\npolitical messages and information:\r\nThe message reads in English:\r\n“- Victory will be ours!\r\nInformation and Coordination Center”\r\nMachine translation into English is as follows:\r\nWho we are\r\nOur priorities are:\r\nIn connection with the full-scale information and economic war unfolding against the Russian Federation, the\r\nInformation Coordination Center ikts was created - a group of like-minded people whose main goal is to combat\r\nthe spread of false information about the activities of the Russian Federation and the Russian Armed Forces.\r\n1. Blocking channels on Telegram, VK 2. Blocking propaganda sites,\r\n2. Blocking propaganda sites that disseminate false information\r\n3. Investigating violations of rights and civil rights and freedoms\r\nCurrent Targeting Guidelines\r\nIn order to participate and contribute to the information confrontation, please see the Toolkit section, where you\r\ncan learn how to work most effectively in each area.\r\nIf you know of a fake news channel or website which is spreading false information, defaming Russia, or violating\r\nhuman rights and it is not on our list, please contact us.\r\nhttps://www.fortinet.com/blog/threat-research/chaos-ransomware-variant-sides-with-russia\r\nPage 2 of 5\n\nAt the moment the following resources are being coordinated:\r\nThe Web site also appears to include a list of Ukrainian soldiers who were either killed in combat or who are\r\nconsidered war criminals in the eyes of the Russian Armed Forces.\r\nWhile typical Chaos ransomware variants provide at least some hope to the victim that files smaller than\r\n2,117,152 bytes that were encrypted might be recovered upon ransom payment, this particular variant provides no\r\nsuch avenue as the attacker has no intent on providing a decryption tool. Combining that with the deletion of\r\nshadow copies from the compromised machine, which inhibits file recovery, makes it awfully difficult for non-tech savvy victims to recover their affected files.\r\nThe malware appears to be fresh as it was likely compiled on May 16th, 2022, for this attack.\r\nConclusion\r\nThe Chaos ransomware variant that this blog covers is unique in the sense that the attacker has no intention of\r\nproviding a decryption tool or file recovery instructions for its victims to recover their affected files. Finding them\r\nis a tall order for non-technical victims, which pretty much makes the malware a file destroyer. Clearly, the motive\r\nbehind this malware is “destruction.” The politically inclined messages also indicate that the attacker is pro-Russian and frustrated with the current situation. And with the Chaos ransomware builder now readily available,\r\nits options allow anyone to create destructive malware. And with no end to the war in sight, FortiGuard Labs\r\nexpects more malware like this to emerge.\r\nVictims of ransomware are cautioned against paying ransoms by such organizations as CISA, NCSC, the FBI, and\r\nHHS. Payment does not guarantee files will be recovered. It may also embolden adversaries to target additional\r\norganizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit\r\nactivities which could potentially be illegal according to a U.S. Department of Treasury’s Office of Foreign Assets\r\nControl (OFAC) advisory.\r\nPast Chaos Ransomware Analysis\r\nYou can read more about the Chaos ransomware in the following FortiGuard Labs publications:\r\nChaos Ransomware Variant in Fake Minecraft Alt List Brings Destruction to Japanese Gamers\r\nFake Windows 11 Upgrade Assistant Program Leads to Destructive File Encrypter\r\nFortinet Protections\r\nFortiGuard Labs has AV coverage in place for the malicious file sample in this report as:\r\nMSIL/Filecoder.AGP!tr.ransom\r\nFortinet customers are also protected from this malware through FortiGuard’s Web Filtering, FortiMail,\r\nFortiClient, FortiEDR, and CDR (content disarm and reconstruction) services.\r\nhttps://www.fortinet.com/blog/threat-research/chaos-ransomware-variant-sides-with-russia\r\nPage 3 of 5\n\nDue to the ease of disruption, damage to daily operations, potential impact to the reputation of an organization,\r\nand the unwanted destruction or release of personally identifiable information (PII), etc., it is important to keep all\r\nAV and IPS signatures up to date.\r\nIn addition to these protections, Fortinet has multiple solutions designed to help train users to understand and\r\ndetect phishing threats:\r\nThe FortiPhish Phishing Simulation Service uses real-world simulations to help organizations test user awareness\r\nand vigilance to phishing threats and to train and reinforce proper practices when users encounter targeted\r\nphishing attacks.\r\nWe also suggest that organizations have their end users go through our FREE NSE training: NSE 1 – Information\r\nSecurity Awareness. It includes a module on Internet threats that is designed to help end users learn how to\r\nidentify and protect themselves from various types of phishing attacks.\r\nMITRE TTPs\r\nCollection\r\nData from Local System T1005\r\nCredential Access\r\nCredential in Files T1552.001\r\nDefense Evasion\r\nFile Deletion T1070.004\r\nDiscovery\r\nSystem Information Discovery T1082\r\nExecution\r\nhttps://www.fortinet.com/blog/threat-research/chaos-ransomware-variant-sides-with-russia\r\nPage 4 of 5\n\nCommand-Line Interface T1059\r\nImpact\r\nInhibit System Recovery T1490\r\nIOCs\r\nFile IOCs\r\n954d8fcd6b74d76999f9ec033ca855ffdab6595be23039f03bc4c6017fa3932c\r\nLearn more about Fortinet’s FortiGuard Labs threat research and intelligence organization and the FortiGuard\r\nSecurity Subscriptions and Services portfolio.\r\nSource: https://www.fortinet.com/blog/threat-research/chaos-ransomware-variant-sides-with-russia\r\nhttps://www.fortinet.com/blog/threat-research/chaos-ransomware-variant-sides-with-russia\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.fortinet.com/blog/threat-research/chaos-ransomware-variant-sides-with-russia"
	],
	"report_names": [
		"chaos-ransomware-variant-sides-with-russia"
	],
	"threat_actors": [],
	"ts_created_at": 1775434762,
	"ts_updated_at": 1775791239,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a612dbab2bee420c546fa32a49abd1da094e9bc3.pdf",
		"text": "https://archive.orkl.eu/a612dbab2bee420c546fa32a49abd1da094e9bc3.txt",
		"img": "https://archive.orkl.eu/a612dbab2bee420c546fa32a49abd1da094e9bc3.jpg"
	}
}