BlackBerry researchers linked Onyx and Yashma ransomware with the Chaos ransomwa...
Researchers publish new findings about the Chaos ransomware developer, revealing a tangled family tree that connects it to both the Onyx and Yashma ransomware strains.
The BlackBerry research and intelligence team stated in a blog post that clues to the Chaos malware's links to Onyx and Yashma emerged via a conversation between a recent victim and the threat group behind Onyx ransomware. The conversation happened on the threat actor's leak site.
According to the researchers, a person claiming to be the creator of the Chaos ransomware builder's kit entered the discussion and revealed that Onyx was built using the author's own Chaos v4.0 Ransomware Builder. The author then promoted the most recent version of the Chaos ransomware family, now known as Yashma.
This was not the first time the link between Chaos and Onyx had been revealed. Onyx's wares were also found to be built on the Chaos ransomware creator, according to SC Media on April 29.
Chaos-adaptability Yashma's and widespread availability, according to BlackBerry researchers, make it worrisome in the future. Because the malware is initially marketed and distributed as a malware builder, any threat actor who acquires it can mimic the actions of the threat group behind Onyx, generating their ransomware strains and targeting specific victims.
"Our research delves into the mindset of these threat actors by showing an online exchange from someone claiming to be the very same Chaos ransomware builder author, in addition to the technical deep-dive provided on the Chaos malware family tree," said Ismael Valenzuela Espejo, BlackBerry's vice president of threat research and intelligence.
"It's interesting to observe how, aside from the obvious money motivation, there's a sense of pride in their creations, even if this malware has been labeled as a 'proof of concept' and 'unsophisticated wiper' by several researchers in the last year," Espejo continued. "It's also fascinating to observe how this comes from someone who, approximately a year earlier, tried to steal the thunder from an existing threat group (Ryuk), but was enraged when their creation (Chaos/Yashma) was also stolen and utilized as the foundation of a new threat (Onyx)."
According to John Hammond, senior security researcher at Huntress, the BlackBerry research provides a great historical perspective of the Chaos ransomware's roots and development leading up to its sixth iteration and new branding name, Yashma. According to Hammond, the newest crypter incorporates new features and functionalities to detect if the ransomware is being operated in a prohibited country, disable antivirus, and terminate services for other preventive measures.
"It's a little frightening to see the rapid evolution of ransomware tooling becoming something so configurable and advanced," Hammons added. "A cybercriminal group, like a software firm, provides new features and upgrades to their product, making it faster, more versatile, and more accessible to their customers...but this time, with malicious purpose." The announcement of a new and improved Chaos ransomware variant isn't reason to raise the alarms and turn on the sirens, but it is another wind of warning: the adversaries are just getting stronger. A good security posture that includes monitoring, redundancy, and strong detection efforts remains the greatest basis for combating a threat actor's end-goal of ransomware."
According to Nicole Hoffman, senior cyber threat intelligence analyst at Digital Shadows, the Maze ransomware gang changed everything in 2019 by introducing double-extortion, and now the majority of ransomware attacks result in data breaches. According to Hoffman, Chaos ransomware variants can erase files larger than about 2 gigabytes, resulting in a highly damaging attack for many enterprises.
"It would be sad if destructive ransomware becomes a new industry trend, with more amateur crooks entering the picture," Hoffman said. "In any case, security teams should stay ahead of the threat by following the 3-2-1 back-up rule, which means three copies of the data, two media types used for back-ups, and one offsite backup." This is not a new rule, but it is more important than ever in combating destructive ransomware attacks."