Anatomy of Chaos Ransomware builder and its origin (feat. Open-source Hidden Tear ransomware)
Author: hypen(Sojun Ryu) | S2W TALON
Executive Summary
- Last June, on the dark web forums XSS and Dread, a user shared a
Ryuk ransomware builder
that he has been developing. - Ryuk is sophisticated ransomware used by many cybercriminals so far, and its source code or builder has not been disclosed yet.
- Due to the name
Ryuk ransomware builder
, many analysts shared this issue, but it was confirmed that the builder is completely unrelated to theactual Ryuk ransomware
. - After that, the developer who shared the Ryuk ransomware builder changed the builder name to
Chaos ransomware builder
and updated it to V4 by reflecting the continuous feedback from forum users.
— V1: Using the name Ryuk ransomware builder,
no file encryption, just overwrite data
— V2: The builder name changed to Chaos ransomware builder
. Grant administrator privilege and can customize ransom note filename. Disrupt file recovery
— V3: Adding several features to encrypt files using RSA/AES and to create a decryptor when encrypting mode
— V4: File extension customizable and can change the wallpaper on the victim’s host
- After analyzing ransomware generated by
Chaos ransomware builder
V1-V4, we found the Chaos ransomware is based on open-source Hidden Tear ransomware. - In addition, it was further confirmed that the developer of the Chaos ransomware builder had previously created
bagli ransomware
and sold it on the “Tor2door” market. - Many variants based on this
Chaos ransomware builder
V3 have appeared in the wild, using the same BTC wallet address, ransom note and demanding the same amount. - The extensions used by the variants identified so far are “pay us”, “gru”, “$big$”, “AstraLocker”.
Malware analysis
V1 builder (Ryuk .Net Ransomware Builder v1.0)
1. Check for duplicated execution
- Check if there is a process with the same path as the current path but with a different PID among running processes
2. checkSleep (option): Set execution delay time
- Delays malicious behavior for a specified amount of time (seconds)
- Specified by the builder’s Delay second value
3. checkCopyRoaming (option): Copy the current malware to the %appdata%
- If the current path is not the Startup and %appdata% path, it is copied to the specified file name in %appdata%
- If it already exists, delete it and recreate it
- Specified by the builder’s Process name value
- Executes the file in the copied path and terminates the current process
4. checkStartupFolder (option): Create .lnk file in Startup folder
- Create a .lnk file that runs the current file in the Startup folder
- Generated .lnk file name: Process Name.url
- Builder’s Add to start folder value
5. checkRegistryStartup (option): Uses Run Registry key to execute malware each time that a user logs on
- Path: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- Key: Microsoft Store
- Value: [Current Path]
6. Overwrite files
- Overwrite files only on the specific path on the C drive
C:\Users\[Username]\Desktop
C:\Users\[Username]\Links
C:\Users\[Username]\Contacts
C:\Users\[Username]\Desktop (duplication)
C:\Users\[Username]\Documents
C:\Users\[Username]\Downloads
C:\Users\[Username]\Pictures
C:\Users\[Username]\Music
C:\Users\[Username]\OneDrive
C:\Users\[Username]\Saved Games
C:\Users\[Username]\Favorites
C:\Users\[Username]\Searches
C:\Users\[Username]\Videos
- Overwrite all files on all drives except the C drive
- Target files extensions (102), 2 duplicates (.mp3)
- Overwrite original data with random data, not encrypt
— Generate random data with the size of the entire file divided by 3
Then, overwrite a file with <EncryptedKey>[random 31byte]<EncryptedKey>[random 2byte][base64(random data generated above)]
- Encrypted file extension: random 4byte
- Create a ransom note for each folder
— ransom note file name: read_it.txt
7. checkSpread (option): Copy files to all currently mounted drives except the C drive
- Copy the current file to the root path for each drive
- The filename is specified by the builder’s Usb and network spread value
- However, the code to be executed after copying is not confirmed
8. Finally, the ransom note is created and executed
- Create a ransom note using the content specified in the builder
- ransom note file path: %appdata%\read_it.txt
- The default ransom note content is saved in the builder, and it demands $1,500 to recover the file.
V2 (Chaos Ransomware Builder v2)
1. checkSleep (option): Set execution delay time
- Delays malicious behavior for the specified amount of seconds only if the current path is not %appdata%
- Behavior on the first run or when run from Startup folder
2. checkAdminPrivilage (option): Execution with administrator privileges
- Execution with administrator privileges only if the current path is not %appdata%
- Attempt to run as administrator until UAC OK button is pressed
- It is copied to the specified file name if the current path is not %appdata%
- The only difference from the existing checkCopyRoaming option is whether to run with administrator privileges
3. Disrupt file recovery (options)
- checkdeleteShadowCopies: delete all Volumes Shadow Copies
vssadmin delete shadows /all /quiet & wmic shadowcopy delete
- checkdeleteBackupCatalog: delete the backup catalog
wbadmin delete catalog -quiet
- disableRecoveryMode: disable windows recovery mode
bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
4. Overwrite files
- Still, overwrite original data with random data
— For files less than 1.09MB, generate random data with the size of the entire file divided by 2
— For other files, generate random data with the size of the entire file divided by 4
- Expanded target files extensions (+35)
5. Create a ransom note with the specified filename
— Specified by the builder’s Dropped File Name value
V3 (Chaos Ransomware Builder v3)
- checkRegistryStartup option was removed
- Encrypts or overwrites files
- File size less than 1.09MB and AES encryption mode selected ( [Filesize] < 1.09MB )
— Generates a secret key with a 20-byte random string using a specific string table
— Salt values are set to [1,2,3,4,5,6,7,8]
— Encrypt files using AES-256 CBC with secret key and salt
Then, overwrite a file with <EncryptedKey>[RSA encrypted(secret key)]<EncryptedKey>[base64(AES encrypted data)]
- File size greater than 200MB, files are overwritten ( 200MB < [Filesize] )
— Generate random data by randomly selecting a size between 200MB and 300MB
Overwrite a file with <EncryptedKey>[random 41byte]<EncryptedKey>[random 2byte][base64(random data generated above)]
- Do not encrypt other files and just overwrite them with random data
— Generate random data with the size of the entire file divided by 4
Overwrite a file with <EncryptedKey>[random 41byte]<EncryptedKey>[random 2byte][base64(random data generated above)]
- Expanded target files extensions (+91)
3. Available to create a decryptor
- Decryptor can be created when Encrypt AES / RSA feature is selected in Advanced Options
- A public key and a private key are created together in a folder with the name specified during creation.
— Specified by the builder’s Decrypter Name value
- The public key is applied to the ransomware when the public key selected button is pressed
- After that, the attacker can decrypt the files using this generated privateKey.chaos
V4 (Chaos Ransomware Builder v4)
1. Added target paths in C drive
%appdata%
C:\Users\Public\Public Documents
C:\Users\Public\Public Pictures
C:\Users\Public\Public Music
C:\Users\Public\Desktop
2. Encrypts and overwrites file data
- Encrypt files less than 2.11MB and AES encryption mode selected ( [Filesize] < 2.11MB )
- Target file extensions are customizable
3. Change the wallpaper to the specified image
- Original image file path: %temp%\[random 9byte].jpg
Based on Hidden Tear
Hidden Tear is the first ransomware that was released as open-source in August 2015 by Uktu Sen, a security researcher in Turkey. At that time, the researcher said that the source code was released for educational purposes, but ransomware based on it is continuously being created. Chaos Ransomware Builder is a GUI software that can create ransomware according to the set options. As a result of the analysis, it was confirmed that the generated ransomware by this was created based on Hidden Tear.
V1 and Hidden Tear
The connection between the first released V1 version and Hidden Tear is not that strong. However, the fact that the same variable names and function names were used, and the same ransom note file name (case difference) was an opportunity to doubt the connection with Hidden Tear. We also found that the code structure for traversing directories to encrypt (or destroy) files is similar.
V3 and Hidden Tear
Chaos ransomware that is based on Hidden Tear appears clearly from V3. In V3, a function to actually encrypt a file using RSA and AES was added, and it was confirmed that the code for generating the key and the code for performing the actual AES encryption are almost identical to those of the existing Hidden Tear.
Tracking the developer on the dark web
It has been confirmed that the developer of the Chaos ransomware builder has been active on the XSS and Dread forums, which are popular forums on the dark web. The developer received feedback from users by posting builder download links and usage videos on the forum whenever each version was updated. After the first upload of V1, the feedbacks were also reflected in the next version.
XSS.is forum
In the XSS forum, he was active under the user name ryukRans, and on June 9, 2021, on the day he signed up, he immediately posted an article asking for opinions on the ransomware he had created. Since the last activity on August 6th, no additional activity has been confirmed in the forum, but since it took a month to update V3 to V4, there is a possibility that they will appear with V5 someday. The developer communicated with users on XSS forum in Russian.
- 2021–06–09
The developer wrote a post asking to share features or opinions to add, saying that he was developing a ransomware, along with a link to the builder’s GitHub. At this time, he referred to his builder as Ryuk Ransomware builder
, because like Ryuk Ransomware, his ransomware also makes files unrecoverable and creates a ransom note for each folder. Then he edited the title of the thread from “Ryuk .Net Ransomware Builder” to “Chaos Ransomware Builder”. (However, these features are now appearing in most ransomware.)
- 2021–06–15
About a week after the first upload, the ransomware name that users in the forum had pointed out was changed from Ryuk to Chaos
, and version 2 with some features was released. The developer explained that the ability to grant administrator privileges, delete backups, and disable Windows recovery mode has been added.
- 2021–07–03
After the release of Version 2, forum users continued to mention how to decrypt the file. Two weeks later, the developer said that he added file encryption mode using AES/RSA, and released version 3 with the feature to recover files by creating a decryption tool.
- 2021–07–04
The day after the release of version 3, a video explaining how to use the decryption tool was posted.
- 2021–07–26 ~ 07–28
After version 3 was released, users suggested adding features to change the desktop wallpaper and to edit the list of target file extensions. And a user on the forum shared that the ESET antivirus software detected this ransomware and immediately deleted it.
- 2021–08–04
About a month after version 3 was released, the attacker released version 4, the most recent version. In version 4, the ability to change the desktop wallpaper and edit the file extension of the target file mentioned by users has been added, and the size of the encrypted file has also increased from about 1MB to about 2MB.
Dread forum
It was confirmed that the developer was active in the Dread forum before the XSS forum. The first post from the developer was that he was looking for a ransomware partner. After that, a post requesting feedback on builder V1 was also posted on the Dread forum a day earlier than the XSS forum. Unlike in the XSS forum, in the Dread forum, he spoke English and used bagli as user name
- 2021–05–17
The first post written on the Dread forum was an announcement about recruiting partners. He said that he was making ransomware and that he would give 50% of the profits if someone was in charge of distribution. This article was uploaded to 3 bulletin boards in the forum. (programming, malware, and hacking)
- 2021–05–19
Two days after posting the partner recruitment, the developer posted a thread with a link to the dark web market called Tor2door, saying that he was currently selling ransomware called “bagli” that he had created.
- 2021–06–08
About 3 weeks later, the developer shared the (V1) GitHub link he created on the Dread forum a day earlier than the XSS forum.
- 2021–06–15
However, version 2 was also uploaded to the Dread forum on the same date as XSS.
- 2021–07–03, 2021–08–04
After that, both version 3 and version 4 were uploaded to the XSS and Dread forums on the same date.
Tor2door
Since its launch in July 2020, Tor2door Market is a dark web marketplace selling financial information, drugs and chemicals, jewelry and gold, and digital goods and software, supporting Bitcoin and Monero. As a result of checking the Tor2door link that the developer posted as a comment on the Dread forum, it was confirmed that he was selling ransomware with the same name as “bagli”, which he had been using as his user name on the Dread forum. And the he joined this market in May of this year and has been active.
- Bagli ransomware
It is assumed that the developer had already developed and sold ransomware called “bagli” same as his user name for $15 before developing the Chaos ransomware. However, there is a high probability that it is an early version of ransomware that is not much different from Chaos ransomware in terms of functionality. Because the description in the “Product description” is almost same. (He also mentioned the Ryuk ransomware here.)
The developer advertised his ransomware by adding a PCrisk link and there was a VirusTotal link of “bagli” ransomware. As a result of analyzing the sample, it was confirmed that it was written in C# same as Chaos ransomware and that the obfuscator presumed to be Babel obfuscator was applied. We checked the decompiled code and confirmed that it try to overwrite the specific path of the C drive and all the files in the other drives in the same way as the Chaos ransomware V1 analyzed above.
The difference from V1 is that it targets only 68 extensions, and overwrites a whole file for smaller than 1.09MB, and overwrites the top 1.09MB of a file for greater than 1.09MB with random data. The extension of the overwritten file is changed to .bagli, and the ransom note is created with the file name of oxu.txt. Bagli ransomware can be seen as V0 of Chaos ransomware, and it was also confirmed that obfuscation can be applied in the wild.
As the same hidden tear traces were found in the Bagli ransomware as well as the Chaos ransomware, it is assumed that the developer had developed the ransomware based on the hidden tear even at first.
- Chaos ransomware
It is not possible to confirm exactly when the product was posted due to the characteristics of the market, but it is assumed that it was uploaded around July, considering that V3 is being sold. The entire source code is on sale for $80.
Tracking bitcoin transactions
We analyzed the money flow by securing a ransom note generated by the recent “bagli” ransomware and a bitcoin address that is assumed to be related to the developer. It was confirmed that the developer did not use a bitcoin mixing service, and ultimately transferred most of the amount (about 95%) to the Binance Exchange.
About the developer of the Bagli and Chaos ransomware
AstraLocker seems to be generated by another operator
- Email: ramilo2122@yandex.com
- Email: cyberlock06@protonmail.com (BiggyLocker)
- Email: biggylockerteam@yandex.com (BiggyLocker)
- Email: AstraRansomware@protonmail.com (AstraLocker)
- Username(Github): Hetropo
- Username(XSS): ryukRans
- Username(Dread): bagli
- Username(Tor2door): bagli
- BTC: bc1qw0ll8p9m8uezhqhyd7z459ajrk722yn8c5j4fg (Chaos, BiggyLocker, Gru, Apis, Desifrujmujpocitac2021)
- BTC: bc1qlnzcep4l4ac0ttdrq7awxev9ehu465f2vpt9x0 (Chaos, Apis)
- BTC: bc1qnurh904jcnxm0amfg2cy3406k4ed2vd2x67s8p (Bagli)
- BTC: 36zvYan9vtbWQFcKcidPKhcuAz6woMszE9 (BiggyLocker)
- BTC: bc1qel4nlvycjftvvnw32e05mhhxfzy7hjqkjh82ez (AstraLocker)
- Monero: 44wJKzwrzWY7dxLov4EjVia3wmwaj6ige6a8C6eHKXKtVy8PTU3SnCG6A6do3vL4Cu3kLUe dKwjomDKe754QhshVJw52xFV
- Monero: 47moe29QP2xF2myDYaaMCJHpLGsXLPw14aDK6F7pVSp7Nes4XDPMmNUgTeCPQi5arDUe4gP8h4w4pXCtX1gg7SpGAgh6qqS (AstraLocker)
Conclusion
- Hidden Tear open-source ransomware is still being exploited by ransomware attackers to this day, and through continuous updates, it can develop into real threat ransomware.
- Chaos ransomware developer is not yet an expert in developing ransomware, but if he reinforces the ransomware’s features while receiving advice from users in the forum who are proficient in cybercrime, it can become a more threatening
- There is a possibility that the builder shared by the developer after the feature update will be abused by another criminal in the future, and many variants have already been found.
- Accordingly, it is necessary to respond to changes by monitoring whether the chaos ransomware is continuously updated.
IoC
- 68eddce0bad4515b40581f454e479a42fdd3b89e004fbba162acf339fbe46f09 (Bagli)
- c3c186a46f9ef44f8f1aad2879058b982dd20cd53a92224f4591858f9274e2f4 (Bagli)
- 114e3769d9cff47038ef22c3827dc28c5be3ca6b1aeeb2589ce87727bdd4b5bd (Pay us)
- 5944bf580c5dd251e356aa4afca054be2834926e6e2e9c55031aadc5dd55bf1b (AstraLocker)
- 7b2d5c54fa1dbf87d7de17bf0bf0aa61b81e178a41b04e14549fb9764604f54c (AstraLocker)
More detailed information can be found from our CTI Solution Xarvis.
- Homepage: https://www.s2wlab.com
- Facebook: https://www.facebook.com/S2W
- Twitter: https://twitter.com/s2w