Chaos: Ransomware or Wiper?

Understanding the Chaos

• According to Trend Micro, Chaos developers attempted to promote this malware as a variant of Ryuk ransomware.
• Chaos developers presented it as a .NET version of the Ryuk ransomware by using a GUI branding similar to Ryuk. 
• However, not many similarities were found as Chaos possesses the functionality of a destructive trojan or wiper rather than that of ransomware.

The many faces of Chaos

• Chaos version 1.0: It contained worming function that allowed it to infect removable drives and avoid air-gapped systems. This version was observed asking for .147 Bitcoin (around $6,600) in a ransom note.
• Chaos version 2.0: This version would overwrite the files on the targeted device by abusing advanced options for administrator privileges. It had the ability to delete all volume shadow copies and the backup.
• Chaos version 3.0: It had nearly-ransomware characteristics with encryption features. It would encrypt files under 1MB with AES/RSA encryption and supports a decryptor-builder.
• Chaos version 4.0: The fourth iteration expanded the RSA/AES encryption feature. It could encrypt files up to 2MB in size. Moreover, it appends files with its own custom extensions and changes the desktop wallpaper of victims. However, it still lacked data exfiltration capabilities.

Conclusion