Chaos Ransomware Targeting Minecraft Gamers in Japan

What has happened?

• They are using Chaos ransomware to encrypt certain files while also destroying some.
• This destructive behavior for larger files may sound a bit odd for a ransomware action, but it would be relevant to note that originally Chaos was a wiper malware and the encryption functionality was added later.
• After hitting a target, the ransomware group asks for 2,000 yen ($17.56) worth of Bitcoin or prepaid cards.

How does it work?

• The file uses a text icon to fool potential victims that it has a list of alternative accounts for this game, which is considered precious information for the players.
• Opening the file leads to malware execution. Malware searches for the files smaller than 2,117,152 bytes, tries to encrypt them, and adds four random characters to smaller files, which are chosen from ‘abcdefghijklmnopqrstuvwxyz1234567890.’ 
• Files (with certain specific extensions) that are larger than 2,117,152 bytes are filled with random bytes, making them unusable even if the ransom is paid.

Additional insights

• Same as other ransomware, Chaos deletes shadow copies from the infected machines.
• The ransom note is written in Japanese and mentions that the attackers are only available on Saturdays. 
• Furthermore, they issue an unconditional apology in the note to victims for any trouble caused by them.

Conclusion