Yashma Ransomware, Tracing the Chaos Family Tree

It's not often that we get to observe the behind-the-scenes drama that can accompany the creation of new malware, but when we do, it gives us a fascinating glimpse into how threat actors operate. One such glimpse, stemming from an online exchange between a ransomware perpetrator and a victim, gave us new insights into the origins of Chaos malware, revealing a twisted family tree that links it to both Onyx and Yashma ransomware variants.

The clues surfaced during a discussion between a recent victim and the threat group behind Onyx ransomware, taking place on the threat actor's leak site. Someone claiming to be the creator of the Chaos ransomware builder's kit joined the conversation, and revealed that Onyx was constructed from the author's own Chaos v4.0 Ransomware Builder. The author went on to promote the most current version of the Chaos ransomware line, now renamed "Yashma."

The Chaos author's apparent intent of "outing" Onyx as a copycat is particularly ironic, given the origins of Chaos; that threat's first incarnation sought to steal thunder from Ryuk ransomware by touting itself as a .NET version of Ryuk, complete with Ryuk branding on its graphical user interface (GUI). But the response to this ham-handed tactic was so negative, it prompted the threat's creator to drop the Ryuk pretense and quickly rebrand its new creation as "Chaos."