Anatomy of Chaos Ransomware builder and its origin (feat. Open-source Hidden Tear ransomware)

S2W

Published in

S2W BLOG

13 min readAug 25, 2021

Author: hypen(Sojun Ryu) | S2W TALON

Executive Summary

Last June, on the dark web forums XSS and Dread, a user shared a Ryuk ransomware builder that he has been developing.
Ryuk is sophisticated ransomware used by many cybercriminals so far, and its source code or builder has not been disclosed yet.
Due to the name Ryuk ransomware builder, many analysts shared this issue, but it was confirmed that the builder is completely unrelated to the actual Ryuk ransomware.
After that, the developer who shared the Ryuk ransomware builder changed the builder name to Chaos ransomware builder and updated it to V4 by reflecting the continuous feedback from forum users.

— V1: Using the name Ryuk ransomware builder, no file encryption, just overwrite data

— V2: The builder name changed to Chaos ransomware builder. Grant administrator privilege and can customize ransom note filename. Disrupt file recovery

— V3: Adding several features to encrypt files using RSA/AES and to create a decryptor when encrypting mode

— V4: File extension customizable and can change the wallpaper on the victim’s host

After analyzing ransomware generated by Chaos ransomware builder V1-V4, we found the Chaos ransomware is based on open-source Hidden Tear ransomware.
In addition, it was further confirmed that the developer of the Chaos ransomware builder had previously created bagli ransomware and sold it on the “Tor2door” market.
Many variants based on this Chaos ransomware builder V3 have appeared in the wild, using the same BTC wallet address, ransom note and demanding the same amount.
The extensions used by the variants identified so far are “pay us”, “gru”, “$big$”, “AstraLocker”.

Malware analysis

V1 builder (Ryuk .Net Ransomware Builder v1.0)

1. Check for duplicated execution

Check if there is a process with the same path as the current path but with a different PID among running processes

2. checkSleep (option): Set execution delay time

Delays malicious behavior for a specified amount of time (seconds)
Specified by the builder’s Delay second value

3. checkCopyRoaming (option): Copy the current malware to the %appdata%

If the current path is not the Startup and %appdata% path, it is copied to the specified file name in %appdata%
If it already exists, delete it and recreate it
Specified by the builder’s Process name value
Executes the file in the copied path and terminates the current process

4. checkStartupFolder (option): Create .lnk file in Startup folder

Create a .lnk file that runs the current file in the Startup folder
Generated .lnk file name: Process Name.url
Builder’s Add to start folder value

5. checkRegistryStartup (option): Uses Run Registry key to execute malware each time that a user logs on

Path: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Key: Microsoft Store
Value: [Current Path]

6. Overwrite files

Overwrite files only on the specific path on the C drive

C:\Users\[Username]\Desktop 
C:\Users\[Username]\Links 
C:\Users\[Username]\Contacts 
C:\Users\[Username]\Desktop (duplication) 
C:\Users\[Username]\Documents 
C:\Users\[Username]\Downloads 
C:\Users\[Username]\Pictures 
C:\Users\[Username]\Music 
C:\Users\[Username]\OneDrive 
C:\Users\[Username]\Saved Games 
C:\Users\[Username]\Favorites 
C:\Users\[Username]\Searches 
C:\Users\[Username]\Videos

Overwrite all files on all drives except the C drive
Target files extensions (102), 2 duplicates (.mp3)

Overwrite original data with random data, not encrypt

— Generate random data with the size of the entire file divided by 3

Then, overwrite a file with <EncryptedKey>[random 31byte]<EncryptedKey>[random 2byte][base64(random data generated above)]

Encrypted file extension: random 4byte
Create a ransom note for each folder

— ransom note file name: read_it.txt

7. checkSpread (option): Copy files to all currently mounted drives except the C drive

Copy the current file to the root path for each drive
The filename is specified by the builder’s Usb and network spread value
However, the code to be executed after copying is not confirmed

8. Finally, the ransom note is created and executed

Create a ransom note using the content specified in the builder
ransom note file path: %appdata%\read_it.txt
The default ransom note content is saved in the builder, and it demands $1,500 to recover the file.

V2 (Chaos Ransomware Builder v2)

1. checkSleep (option): Set execution delay time

Delays malicious behavior for the specified amount of seconds only if the current path is not %appdata%
Behavior on the first run or when run from Startup folder

2. checkAdminPrivilage (option): Execution with administrator privileges

Execution with administrator privileges only if the current path is not %appdata%
Attempt to run as administrator until UAC OK button is pressed
It is copied to the specified file name if the current path is not %appdata%
The only difference from the existing checkCopyRoaming option is whether to run with administrator privileges

3. Disrupt file recovery (options)

checkdeleteShadowCopies: delete all Volumes Shadow Copies

vssadmin delete shadows /all /quiet & wmic shadowcopy delete

checkdeleteBackupCatalog: delete the backup catalog

wbadmin delete catalog -quiet

disableRecoveryMode: disable windows recovery mode

bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no

4. Overwrite files

Still, overwrite original data with random data

— For files less than 1.09MB, generate random data with the size of the entire file divided by 2

— For other files, generate random data with the size of the entire file divided by 4

Expanded target files extensions (+35)

5. Create a ransom note with the specified filename

— Specified by the builder’s Dropped File Name value

V3 (Chaos Ransomware Builder v3)

checkRegistryStartup option was removed
Encrypts or overwrites files

File size less than 1.09MB and AES encryption mode selected ( [Filesize] < 1.09MB )

— Generates a secret key with a 20-byte random string using a specific string table

— Salt values are set to [1,2,3,4,5,6,7,8]

— Encrypt files using AES-256 CBC with secret key and salt

Then, overwrite a file with <EncryptedKey>[RSA encrypted(secret key)]<EncryptedKey>[base64(AES encrypted data)]

File size greater than 200MB, files are overwritten ( 200MB < [Filesize] )

— Generate random data by randomly selecting a size between 200MB and 300MB

Overwrite a file with <EncryptedKey>[random 41byte]<EncryptedKey>[random 2byte][base64(random data generated above)]

Do not encrypt other files and just overwrite them with random data

— Generate random data with the size of the entire file divided by 4

Overwrite a file with <EncryptedKey>[random 41byte]<EncryptedKey>[random 2byte][base64(random data generated above)]

Expanded target files extensions (+91)

3. Available to create a decryptor

Decryptor can be created when Encrypt AES / RSA feature is selected in Advanced Options
A public key and a private key are created together in a folder with the name specified during creation.

— Specified by the builder’s Decrypter Name value

The public key is applied to the ransomware when the public key selected button is pressed
After that, the attacker can decrypt the files using this generated privateKey.chaos

V4 (Chaos Ransomware Builder v4)

1. Added target paths in C drive

%appdata%
C:\Users\Public\Public Documents
C:\Users\Public\Public Pictures
C:\Users\Public\Public Music
C:\Users\Public\Desktop

2. Encrypts and overwrites file data

Encrypt files less than 2.11MB and AES encryption mode selected ( [Filesize] < 2.11MB )
Target file extensions are customizable

3. Change the wallpaper to the specified image

Original image file path: %temp%\[random 9byte].jpg

Based on Hidden Tear

Hidden Tear is the first ransomware that was released as open-source in August 2015 by Uktu Sen, a security researcher in Turkey. At that time, the researcher said that the source code was released for educational purposes, but ransomware based on it is continuously being created. Chaos Ransomware Builder is a GUI software that can create ransomware according to the set options. As a result of the analysis, it was confirmed that the generated ransomware by this was created based on Hidden Tear.

V1 and Hidden Tear

The connection between the first released V1 version and Hidden Tear is not that strong. However, the fact that the same variable names and function names were used, and the same ransom note file name (case difference) was an opportunity to doubt the connection with Hidden Tear. We also found that the code structure for traversing directories to encrypt (or destroy) files is similar.

V3 and Hidden Tear

Chaos ransomware that is based on Hidden Tear appears clearly from V3. In V3, a function to actually encrypt a file using RSA and AES was added, and it was confirmed that the code for generating the key and the code for performing the actual AES encryption are almost identical to those of the existing Hidden Tear.

Tracking the developer on the dark web

It has been confirmed that the developer of the Chaos ransomware builder has been active on the XSS and Dread forums, which are popular forums on the dark web. The developer received feedback from users by posting builder download links and usage videos on the forum whenever each version was updated. After the first upload of V1, the feedbacks were also reflected in the next version.

XSS.is forum

In the XSS forum, he was active under the user name ryukRans, and on June 9, 2021, on the day he signed up, he immediately posted an article asking for opinions on the ransomware he had created. Since the last activity on August 6th, no additional activity has been confirmed in the forum, but since it took a month to update V3 to V4, there is a possibility that they will appear with V5 someday. The developer communicated with users on XSS forum in Russian.

2021–06–09

The developer wrote a post asking to share features or opinions to add, saying that he was developing a ransomware, along with a link to the builder’s GitHub. At this time, he referred to his builder as Ryuk Ransomware builder, because like Ryuk Ransomware, his ransomware also makes files unrecoverable and creates a ransom note for each folder. Then he edited the title of the thread from “Ryuk .Net Ransomware Builder” to “Chaos Ransomware Builder”. (However, these features are now appearing in most ransomware.)

2021–06–15

About a week after the first upload, the ransomware name that users in the forum had pointed out was changed from Ryuk to Chaos, and version 2 with some features was released. The developer explained that the ability to grant administrator privileges, delete backups, and disable Windows recovery mode has been added.

2021–07–03

After the release of Version 2, forum users continued to mention how to decrypt the file. Two weeks later, the developer said that he added file encryption mode using AES/RSA, and released version 3 with the feature to recover files by creating a decryption tool.

2021–07–04

The day after the release of version 3, a video explaining how to use the decryption tool was posted.

2021–07–26 ~ 07–28

After version 3 was released, users suggested adding features to change the desktop wallpaper and to edit the list of target file extensions. And a user on the forum shared that the ESET antivirus software detected this ransomware and immediately deleted it.

2021–08–04

About a month after version 3 was released, the attacker released version 4, the most recent version. In version 4, the ability to change the desktop wallpaper and edit the file extension of the target file mentioned by users has been added, and the size of the encrypted file has also increased from about 1MB to about 2MB.

Dread forum

It was confirmed that the developer was active in the Dread forum before the XSS forum. The first post from the developer was that he was looking for a ransomware partner. After that, a post requesting feedback on builder V1 was also posted on the Dread forum a day earlier than the XSS forum. Unlike in the XSS forum, in the Dread forum, he spoke English and used bagli as user name

2021–05–17

The first post written on the Dread forum was an announcement about recruiting partners. He said that he was making ransomware and that he would give 50% of the profits if someone was in charge of distribution. This article was uploaded to 3 bulletin boards in the forum. (programming, malware, and hacking)

2021–05–19

Two days after posting the partner recruitment, the developer posted a thread with a link to the dark web market called Tor2door, saying that he was currently selling ransomware called “bagli” that he had created.

2021–06–08

About 3 weeks later, the developer shared the (V1) GitHub link he created on the Dread forum a day earlier than the XSS forum.

2021–06–15

However, version 2 was also uploaded to the Dread forum on the same date as XSS.

2021–07–03, 2021–08–04

After that, both version 3 and version 4 were uploaded to the XSS and Dread forums on the same date.

Tor2door

Since its launch in July 2020, Tor2door Market is a dark web marketplace selling financial information, drugs and chemicals, jewelry and gold, and digital goods and software, supporting Bitcoin and Monero. As a result of checking the Tor2door link that the developer posted as a comment on the Dread forum, it was confirmed that he was selling ransomware with the same name as “bagli”, which he had been using as his user name on the Dread forum. And the he joined this market in May of this year and has been active.

Bagli ransomware

It is assumed that the developer had already developed and sold ransomware called “bagli” same as his user name for $15 before developing the Chaos ransomware. However, there is a high probability that it is an early version of ransomware that is not much different from Chaos ransomware in terms of functionality. Because the description in the “Product description” is almost same. (He also mentioned the Ryuk ransomware here.)

The developer advertised his ransomware by adding a PCrisk link and there was a VirusTotal link of “bagli” ransomware. As a result of analyzing the sample, it was confirmed that it was written in C# same as Chaos ransomware and that the obfuscator presumed to be Babel obfuscator was applied. We checked the decompiled code and confirmed that it try to overwrite the specific path of the C drive and all the files in the other drives in the same way as the Chaos ransomware V1 analyzed above.

The difference from V1 is that it targets only 68 extensions, and overwrites a whole file for smaller than 1.09MB, and overwrites the top 1.09MB of a file for greater than 1.09MB with random data. The extension of the overwritten file is changed to .bagli, and the ransom note is created with the file name of oxu.txt. Bagli ransomware can be seen as V0 of Chaos ransomware, and it was also confirmed that obfuscation can be applied in the wild.

As the same hidden tear traces were found in the Bagli ransomware as well as the Chaos ransomware, it is assumed that the developer had developed the ransomware based on the hidden tear even at first.

Chaos ransomware

It is not possible to confirm exactly when the product was posted due to the characteristics of the market, but it is assumed that it was uploaded around July, considering that V3 is being sold. The entire source code is on sale for $80.

Tracking bitcoin transactions

We analyzed the money flow by securing a ransom note generated by the recent “bagli” ransomware and a bitcoin address that is assumed to be related to the developer. It was confirmed that the developer did not use a bitcoin mixing service, and ultimately transferred most of the amount (about 95%) to the Binance Exchange.

About the developer of the Bagli and Chaos ransomware

AstraLocker seems to be generated by another operator

Email: ramilo2122@yandex.com
Email: cyberlock06@protonmail.com (BiggyLocker)
Email: biggylockerteam@yandex.com (BiggyLocker)
Email: AstraRansomware@protonmail.com (AstraLocker)
Username(Github): Hetropo
Username(XSS): ryukRans
Username(Dread): bagli
Username(Tor2door): bagli
BTC: bc1qw0ll8p9m8uezhqhyd7z459ajrk722yn8c5j4fg (Chaos, BiggyLocker, Gru, Apis, Desifrujmujpocitac2021)
BTC: bc1qlnzcep4l4ac0ttdrq7awxev9ehu465f2vpt9x0 (Chaos, Apis)
BTC: bc1qnurh904jcnxm0amfg2cy3406k4ed2vd2x67s8p (Bagli)
BTC: 36zvYan9vtbWQFcKcidPKhcuAz6woMszE9 (BiggyLocker)
BTC: bc1qel4nlvycjftvvnw32e05mhhxfzy7hjqkjh82ez (AstraLocker)
Monero: 44wJKzwrzWY7dxLov4EjVia3wmwaj6ige6a8C6eHKXKtVy8PTU3SnCG6A6do3vL4Cu3kLUe dKwjomDKe754QhshVJw52xFV
Monero: 47moe29QP2xF2myDYaaMCJHpLGsXLPw14aDK6F7pVSp7Nes4XDPMmNUgTeCPQi5arDUe4gP8h4w4pXCtX1gg7SpGAgh6qqS (AstraLocker)

Conclusion

Hidden Tear open-source ransomware is still being exploited by ransomware attackers to this day, and through continuous updates, it can develop into real threat ransomware.
Chaos ransomware developer is not yet an expert in developing ransomware, but if he reinforces the ransomware’s features while receiving advice from users in the forum who are proficient in cybercrime, it can become a more threatening
There is a possibility that the builder shared by the developer after the feature update will be abused by another criminal in the future, and many variants have already been found.
Accordingly, it is necessary to respond to changes by monitoring whether the chaos ransomware is continuously updated.

IoC

68eddce0bad4515b40581f454e479a42fdd3b89e004fbba162acf339fbe46f09 (Bagli)
c3c186a46f9ef44f8f1aad2879058b982dd20cd53a92224f4591858f9274e2f4 (Bagli)
114e3769d9cff47038ef22c3827dc28c5be3ca6b1aeeb2589ce87727bdd4b5bd (Pay us)
5944bf580c5dd251e356aa4afca054be2834926e6e2e9c55031aadc5dd55bf1b (AstraLocker)
7b2d5c54fa1dbf87d7de17bf0bf0aa61b81e178a41b04e14549fb9764604f54c (AstraLocker)

More detailed information can be found from our CTI Solution Xarvis.