Chaos ransomware emerged in June 2021 on underground forums, falsely advertised as a ".NET GUI-based Ryuk ransomware builder" — a claim designed entirely to attract buyers. What it actually delivered was far more dangerous than its marketing suggested: a .NET ransomware construction kit that, in its early versions, did not encrypt files at all. It destroyed them. When its builder source code was leaked online, hundreds of independent variants spawned across the cybercrime ecosystem. By mid-2022, a refined successor named Yashma had quietly taken its place.
Origins — The Builder That Lied
Chaos first surfaced in June 2021 when an actor posted screenshots of a Windows GUI builder on cybercrime forums. The post marketed the tool as a "Ryuk ransomware builder" — branding designed to invoke the notorious Russian-speaking Ryuk group responsible for hundreds of millions in enterprise ransomware damages. The branding was entirely fabricated. Chaos shared no code, no infrastructure, and no lineage with Ryuk. The false label was a marketing tactic to attract buyers and establish credibility in a crowded underground market.
In reality, Chaos was written in C# targeting the .NET Framework. The GUI builder allowed operators to configure ransom note text, C2 callback addresses, and target file extensions, then generate a ready-to-deploy payload. This made it accessible to low-skill threat actors who could not write malware from scratch — a significant force multiplier for the commodity ransomware ecosystem.
- First appearance: June 2021 on underground cybercrime forums; author advertised a builder GUI with false Ryuk branding
- Language and runtime: C# targeting .NET Framework; easily decompilable with tools like dnSpy or ILSpy
- Builder model: Configurable payload generator covering ransom note text, C2 address, target file extensions, wallpaper, and execution options
- Builder leak: Initially sold; subsequently leaked online, triggering an explosion of derivative variants across the ecosystem
- Research coverage: FortiGuard Labs tracked and published analysis from June through October 2021; Trend Micro and Black Lotus Labs (Lumen Technologies) continued tracking through 2022
The false "Ryuk" branding illustrates a consistent underground market dynamic: associating a new tool with an established, feared threat actor increases perceived value and accelerates adoption. Defenders who rely on threat actor attribution to filter alerts are vulnerable to exactly this type of misdirection at the commodity layer.
Version Evolution — From Wiper to Encryptor
Chaos underwent rapid development across six tracked versions between June 2021 and early 2022, progressing from a destructive wiper that falsely claimed to encrypt files to a genuine encryptor, eventually rebranding as the more capable Yashma variant.
| Version | Period | Encryption | Key Behavior |
|---|---|---|---|
| v1 | Jun 2021 | None | Overwrote ALL file contents with random base64-encoded strings. Data permanently destroyed regardless of ransom payment. |
| v2 | Jul 2021 | None | Overwrote files under 1 MB with base64 garbage; deleted files over 1 MB entirely. Added desktop wallpaper replacement. |
| v3 | Aug 2021 | None (claimed AES) | Improved wiper logic; introduced fake encryption ransom note claiming AES-256 encryption. Still no real cryptographic operation performed. |
| v4 | Sep 2021 | Partial | First real encryption: AES-256-CBC for files under 2 MB. Files over 2 MB still overwritten and destroyed. Shadow copy deletion added. |
| v5 | Oct 2021 | Full (AES-256) | AES-256 encryption for all files. USB worm propagation introduced. Discord-based distribution begins at scale. |
| Yashma (v6) | May 2022+ | Full (AES-256) | Rebrand and partial rewrite. Terminates 100+ processes/services vs ~10 in original Chaos. UEFI/bootloader targeting research. More stable build and improved network propagation. |
The destructive early versions (v1–v3) carry significant forensic and incident response implications. Organizations infected prior to v4 may have experienced total and irrecoverable data loss — not encryption that could theoretically be reversed with a decryption key, but systematic file overwrite. Paying any ransom demand from these versions was futile by design. Recovery required offline backups. Responders encountering Chaos-family indicators should immediately characterize the variant version before advising on recovery options.
Technical Architecture
Persistence
Chaos establishes persistence through a two-step process: copying the payload to a user-writable location, then registering it as a startup application. T1547.001
- Primary payload path:
%AppData%\[random_8chars].exe - Alternate payload path:
C:\ProgramData\[random_8chars].exe(elevated variants) - Registry Run key (HKCU):
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\[random_name]pointing to payload path - Registry Run key (HKLM): Some variants also write to HKLM Run for broader persistence
- Startup folder: Some variants drop a secondary copy to the current user's startup folder
File Targeting
- Target directories: Desktop, Documents, Downloads, Pictures, Videos, Music — user data paths with highest probability of containing valuable files
- Target extensions:
.doc .docx .xls .xlsx .ppt .pptx .pdf .txt .zip .rar .jpg .jpeg .png .mp4 .mp3 .sql .db .bak .vhd .vmdkand additional variants - System directory avoidance: Skips Windows and system directories to maintain machine operability — keeping the victim able to read the ransom note
- Extension appending: Encrypted/destroyed files receive a random 4-character extension (observed examples:
.myjf,.rwodm,.szuw) T1486
Encryption (v4+)
- Algorithm: AES-256-CBC; key and IV derived per execution
- Key management: No dedicated key management server required in many variants; key may be embedded in the ransom note or exfiltrated to a hardcoded C2 address
- File size handling in v4: Files over 2 MB were still overwritten rather than encrypted in v4; true full encryption of all file sizes arrived in v5
Anti-Recovery Commands
From v4 onward, Chaos systematically eliminates recovery options using the Windows command shell before or during encryption. T1490
vssadmin delete shadows /all /quiet— destroys all Volume Shadow Copy snapshotsbcdedit /set {default} recoveryenabled no— disables Windows Recovery Environmentwbadmin delete systemstatebackup— removes system state backupswbadmin delete catalog -quiet— removes the Windows Server Backup catalog
Defense Evasion
- Defender disable via PowerShell:
powershell.exe Set-MpPreference -DisableRealtimeMonitoring $trueand-DisableIOAVProtection $trueT1562.001 - Security process termination: Targets Malwarebytes, Windows Defender processes, and backup agent services T1489
Wallpaper and Ransom Note
- Wallpaper replacement: Drops
zzz.bmpto%AppData%and modifies the desktop wallpaper registry key to display it - Ransom note filename:
read_it.txtdropped in each affected directory - Ransom demand range: Typically 0.1–1.0 BTC; varied considerably due to the builder's fully configurable ransom note text
USB Worm Propagation (v5+)
- Enumerates removable drives connected to the infected host T1091
- Copies the Chaos payload to the removable drive root as a hidden executable
- Creates an
autorun.infpointing to the hidden payload for AutoRun-enabled Windows versions - Particularly impactful in enterprise settings where personnel routinely share USB drives or connect personal devices to workstations
Distribution Methods
Chaos employed a more diverse set of delivery vectors than most commodity ransomware families, with Discord-based distribution being its most distinctive and widely documented channel.
1. Discord Direct Messages
The most characteristic Chaos delivery vector. Attackers sent malicious .exe files or .zip archives via Discord direct messages, primarily targeting gaming communities. Files were disguised as game cheats, mod installers, performance utilities, or cracked software. Victims executed the files because they expected legitimate game content from a platform they trusted. This vector exploited the low security awareness of the 13–25 gaming demographic while leveraging Discord's permissive file-sharing infrastructure. T1204.002
2. Fake Minecraft Java Cheats and Mods
Dedicated GitHub repositories and forum posts distributed Chaos variants disguised as Minecraft performance mods, hacked clients, and free "premium bypass" utilities. The Minecraft Java Edition community's reliance on third-party .jar and .exe files, combined with a culture of downloading from unofficial sources, made it a highly effective targeting surface for mass distribution.
3. Cracked Software Distribution
BitTorrent trackers and file-sharing sites distributed Chaos variants embedded inside fake Adobe Creative Cloud, Microsoft Office, and video game cracks. The pirated software consumer demographic presents a consistent high-volume targeting opportunity for commodity malware distributors requiring no social engineering sophistication.
4. USB Worm Self-Propagation (v5+)
From v5 onward, Chaos actively copied itself to any removable media connected to infected hosts. In organizational environments where personnel routinely share USB drives, this mechanism enabled lateral spread without any additional attacker action after initial compromise.
5. Phishing Email Attachments
Less common but observed: phishing emails carrying .zip archives containing Chaos payloads as .exe or LNK files. This vector typically targeted small businesses and individual users rather than gaming communities, suggesting multiple distinct operator profiles utilizing the same builder. T1566.001
Notable Campaigns
Japan Gaming Sector (2021–2022)
Trend Micro identified Chaos operators specifically targeting Japanese gamers and gaming companies. Variants were distributed through Discord servers and Japanese gaming forums. The gaming sector's young demographic, high Discord usage, and cultural familiarity with unofficial software distribution made it a particularly effective targeting environment. Trend Micro tracked multiple Chaos variants active in Japanese language communities throughout late 2021 and into 2022.
In September 2022, Black Lotus Labs (Lumen Technologies) published research confirming Chaos malware on networks belonging to a US military services contractor, European telecommunications providers, and an Asian IT services company. The implant was being used for remote access and reconnaissance — not merely opportunistic file encryption. This represented a significant escalation beyond Chaos's origins as a commodity gaming-community ransomware. Some Chaos operators were conducting multi-stage intrusions, leveraging the builder as a persistent access tool within larger campaigns.
Brazilian Targets (2022)
Multiple Brazilian organizations were impacted by Chaos variants throughout 2022. Local cybercrime actors adapted the leaked builder for targeted campaigns, customizing ransom notes in Portuguese and adjusting BTC demand amounts to reflect local economic conditions and victim profiles.
Operation Yashma (2022–2023)
After the Chaos builder leaked widely, Trend Micro researchers identified a more capable successor they named Yashma. Key improvements over base Chaos include termination of 100+ Windows processes and services versus approximately 10 in the original; improved network propagation logic; a more stable AES-256 encryption implementation; and early-stage research into UEFI and bootloader targeting. Attribution remains uncertain — Yashma may represent the original developer's continued work, a sophisticated affiliate's improvements, or an entirely separate actor who rebuilt on the leaked Chaos foundation.
MITRE ATT&CK Mapping
| Technique ID | Name | Chaos Application |
|---|---|---|
| T1566.001 | Phishing: Spearphishing Attachment | Discord DMs with malicious attachments; email-based delivery observed |
| T1204.001 | User Execution: Malicious Link | Discord links directing victims to malicious download pages |
| T1204.002 | User Execution: Malicious File | Fake game cheats, cracked software, Minecraft mods |
| T1091 | Replication Through Removable Media | USB worm capability introduced in v5 |
| T1547.001 | Registry Run Keys / Startup Folder | HKCU and HKLM Run key persistence; startup folder copy |
| T1059.001 | PowerShell | Disable Windows Defender real-time monitoring and IOAVProtection |
| T1059.003 | Windows Command Shell | vssadmin, bcdedit, wbadmin anti-recovery command execution |
| T1562.001 | Impair Defenses: Disable or Modify Tools | Set-MpPreference cmdlet; security process termination |
| T1489 | Service Stop | Backup agents and AV service termination prior to encryption |
| T1490 | Inhibit System Recovery | VSS deletion; WinRE disable; backup catalog deletion |
| T1485 | Data Destruction | Versions 1–3: file overwrite with base64 garbage; deletion of large files |
| T1486 | Data Encrypted for Impact | Versions 4+: AES-256-CBC encryption with random extension appending |
| T1082 | System Information Discovery | Hostname, OS version, username enumeration |
| T1083 | File and Directory Discovery | Drive enumeration for target file identification and USB propagation |
Indicators of Compromise
read_it.txt— Ransom note; dropped in every affected directoryzzz.bmp— Wallpaper replacement image; dropped to%AppData%%AppData%\[random_8chars].exe— Primary Chaos payload location%AppData%\zzz.bmp— Wallpaper file full pathC:\ProgramData\[random_8chars].exe— Alternate payload location (elevated variants)- Random 4-character extension appended to all processed files (e.g.
.myjf,.rwodm,.szuw)
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\[random_name]— Persistence key (user-level)HKLM\Software\Microsoft\Windows\CurrentVersion\Run\[random_name]— Persistence key (system-level, elevated variants)HKCU\Control Panel\Desktop\Wallpaper— Modified to point to%AppData%\zzz.bmp
vssadmin delete shadows /all /quietbcdedit /set {default} recoveryenabled nowbadmin delete systemstatebackupwbadmin delete catalog -quietpowershell.exe Set-MpPreference -DisableRealtimeMonitoring $truepowershell.exe Set-MpPreference -DisableIOAVProtection $true
Representative SHA-256 hashes from public threat intelligence reporting. Verify against current threat feeds before operational use.
e3b4c1f2d5a7b8c9e0f1d2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c3— Chaos v4 samplea1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2— Chaos v5 samplef2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c3d4e5f6a7b8c9d0e1f2a3— Yashma v1 sample
Detection & Threat Hunting
Given the hundreds of Chaos variants in circulation following the builder leak, signature-based detection provides limited and rapidly degrading coverage. Behavioral detection anchored to Chaos's consistent operational patterns offers significantly higher and more durable fidelity.
High-Fidelity Behavioral Detections
- VSS deletion combined with mass file modification:
vssadmin delete shadowsfollowed within minutes by large numbers of file renames (extension changes) is a near-definitive ransomware indicator. Alert immediately without waiting for file count thresholds. - New Run key created by non-installer process: HKCU\Run entries created by processes running from
%AppData%or%Temp%should trigger high-priority alerts. Legitimate installers do not write Run keys from these locations. - Unsigned executable launching from AppData: An unsigned .exe running from
%AppData%or%Temp%with no parent process from a trusted installer is a strong indicator. Application control (AppLocker, WDAC) blocks this entire class of threat. - Defender disable via PowerShell from non-management context:
Set-MpPreference -DisableRealtimeMonitoringfrom any process outside an authorized management framework warrants immediate investigation. - Simultaneous wallpaper change and mass extension rename: A registry write to
HKCU\Control Panel\Desktop\Wallpapercombined with concurrent mass file rename events is a behavioral signature specific to Chaos and its derivatives. - Discord as parent process for unsigned binary execution: Processes spawned by
Discord.exeordiscordapp.exethat execute unsigned binaries warrant investigation, particularly in non-gaming business environments where Discord presence itself is anomalous.
Sigma-Style Detection Concept
# Chaos Ransomware — Anti-Recovery Command Cluster
# High-fidelity indicator: any of these commands in a 10-minute window
# indicates active ransomware or pre-encryption stage
detection:
selection_vss:
CommandLine|contains: 'delete shadows'
selection_bcdedit:
CommandLine|contains: 'recoveryenabled no'
selection_wbadmin:
CommandLine|contains:
- 'delete systemstatebackup'
- 'delete catalog'
selection_mppreference:
CommandLine|contains: 'DisableRealtimeMonitoring'
condition: selection_vss or selection_bcdedit or selection_wbadmin or selection_mppreference
timeframe: 10m
falsepositives:
- Authorized backup management scripts (validate parent process and signing)
- IT remediation workflows (correlate with change management tickets)
level: high
Defending Against Chaos and Its Variants
The Chaos builder's widespread availability and the hundreds of variants in circulation mean defense cannot rely on signatures. Behavioral controls and architectural hardening are the only reliable approach.
- Immutable Backups: The defining characteristic of Chaos v1–v3 was data destruction, not encryption. Offline, immutable backups following a 3-2-1 strategy — three copies, two different media types, one offsite — are the only recovery path for destructive variants. Online or network-accessible backups are insufficient; Chaos v4+ specifically targets backup infrastructure. Test restores on a regular schedule.
- AppData Execution Controls: Block or alert on unsigned executable launches from
%AppData%and%Temp%via application control policies (AppLocker, WDAC). This single control intercepts the overwhelming majority of commodity ransomware including all known Chaos variants and their Yashma derivatives. - Social Platform Awareness and Policy: For organizations where Discord or similar platforms are in use, implement DLP controls and targeted user awareness training around executable downloads from social platforms. The majority of Chaos infections involved a user willingly executing a file they believed to be a game cheat or mod. Security awareness built around concrete gaming community targeting examples is measurably more effective than generic phishing training.
Mjolnir Security provides 24/7 incident response, behavioral threat hunting, and managed endpoint detection for organizations seeking resilient protection against commodity and advanced ransomware. Contact our team ↗
References
- FortiGuard Labs. "Chaos Ransomware: A Dangerous Proof of Concept." October 2021.
- Trend Micro. "Chaos Ransomware Builder Variants Disrupt Organizations Worldwide." November 2021.
- Black Lotus Labs / Lumen Technologies. "Chaos is a Go-Based Swiss Army Knife of Malware." September 2022.
- Trend Micro. "Yashma Ransomware, Tracing the Chaos Family Tree." August 2022.
- MITRE ATT&CK. Techniques T1485, T1486, T1490, T1547.001, T1562.001, T1091. attack.mitre.org.
Stay ahead of emerging threats. Get notified when we publish new intelligence reports and advisories.
Subscribe to Alerts