A new variant of the Chaos ransomware builder, dubbed Yashma, has been seen in the wild, according to recently released reports. This variant, which is the sixth iteration of the Chaos ransomware, includes new features such as location awareness for execution and terminating various processes prior to encryption.
While Yashma has been branded as a new version of the Chaos ransomware, changes between it and the previous version are minor. Yashma now includes the ability to obfuscate itself via a .NET obfuscator known as Confuser v18.104.22.168. Confuser is a common .NET obfuscator that supports a wide variety of obfuscation methods for binaries, including anti-debugging, anti-memory dumping, anti-decompiling, and so on. The malware also has a function to prevent itself from running based on the victim’s location, which is determined via the language set on the device. This functionality was likely included to prevent encrypting devices in the threat actor’s country of origin to avoid legal troubles. Finally, the new version has the ability to stop various services on the victim device. These services include such things as: AV solutions, vault and backup services, storage services, and Remote Desktop services.
Though Chaos ransomware has only been in the wild for around a year, the fact that it has gone through six iterations shows the author’s attempt at finetuning the malware. It is very likely that Chaos will continue to be improved upon quickly, with the author adding more and more features and security bypasses.