A new variant of the Chaos ransomware builder, dubbed Yashma, has been seen in the wild, according to recently released reports. This variant, which is the sixth iteration of the Chaos ransomware, includes new features such as location awareness for execution and terminating various processes prior to encryption.
While Yashma has been branded as a new version of the Chaos ransomware, changes between it and the previous version are minor. Yashma now includes the ability to obfuscate itself via a .NET obfuscator known as Confuser v188.8.131.52. Confuser is a common .NET obfuscator that supports a wide variety of obfuscation methods for binaries, including anti-debugging, anti-memory dumping, anti-decompiling, and so on. The malware also has a function to prevent itself from running based on the victim’s location, which is determined via the language set on the device. This functionality was likely included to prevent encrypting devices in the threat actor’s country of origin to avoid legal troubles. Finally, the new version has the ability to stop various services on the victim device. These services include such things as: AV solutions, vault and backup services, storage services, and Remote Desktop services.
Though Chaos ransomware has only been in the wild for around a year, the fact that it has gone through six iterations shows the author’s attempt at finetuning the malware. It is very likely that Chaos will continue to be improved upon quickly, with the author adding more and more features and security bypasses.
Since the vast majority of malware is delivered via phishing emails, it is important to have and maintain email security controls. Having appropriate AV scanning, sandboxing, and content filtering on incoming emails can help prevent malicious emails from being delivered to end users. Having appropriate endpoint security controls can help prevent or detect malware from executing on a system. If preventative measures do not stop an infection, proper logging and monitoring can help detect one, allowing for organizations to respond swiftly and contain the infection. Monitoring for abnormal process behavior, processes making abnormal network connections, and suspicious Registry or file modifications can all help detect a possible infection. Binary Defense’s Managed Detection and Response service is an excellent asset to assist with these detection needs. Finally, having proper backups and business continuity plans can help protect an organization from a successful ransomware attack. This would include things such as having appropriate offsite or off-network backups of critical systems, developing and regularly testing a ransomware-specific business continuity plan that is ready at a moment’s notice to be put into action, and so on. Taking these preemptive steps can help reduce the impact of a successful ransomware attack against an organization.