A new malware named Chaos has been discovered on an underground forum for testing purposes. It has been in development since June and may be released in the wild in the upcoming days.

Understanding the Chaos

The malware authors are advertising it as ransomware, however, an analysis made by researchers considers this a wiper. 
  • According to Trend Micro, Chaos developers attempted to promote this malware as a variant of Ryuk ransomware.
  • Chaos developers presented it as a .NET version of the Ryuk ransomware by using a GUI branding similar to Ryuk. 
  • However, not many similarities were found as Chaos possesses the functionality of a destructive trojan or wiper rather than that of ransomware.

The many faces of Chaos

Chaos has been available on underground forums since June and already has four different versions. Although the latest versions display some characteristics of ransomware, they are still far away from being classified as ransomware.
  • Chaos version 1.0: It contained worming function that allowed it to infect removable drives and avoid air-gapped systems. This version was observed asking for .147 Bitcoin (around $6,600) in a ransom note.
  • Chaos version 2.0: This version would overwrite the files on the targeted device by abusing advanced options for administrator privileges. It had the ability to delete all volume shadow copies and the backup.
  • Chaos version 3.0: It had nearly-ransomware characteristics with encryption features. It would encrypt files under 1MB with AES/RSA encryption and supports a decryptor-builder.
  • Chaos version 4.0: The fourth iteration expanded the RSA/AES encryption feature. It could encrypt files up to 2MB in size. Moreover, it appends files with its own custom extensions and changes the desktop wallpaper of victims. However, it still lacked data exfiltration capabilities.


Chaos is more of a proof-of-concept malware that is still under development and has not been observed in any recent attacks. It, for now, wanders between the lines of ransomware and other kinds of malware with file manipulation capabilities. Since it is still under active development, it could become a serious and dangerous threat for organizations in near future.

Cyware Publisher