FortiGuard Labs reports a Chaos ransomware variant that appears to side with Russia, delivering destructive payloads and offering no decryption option. The malware encrypts small files with AES-256 (RSA-wrapped keys) and fills larger files with random data, while displaying political propaganda.
Keypoints
- FortiGuard Labs identifies a Chaos ransomware variant with pro-Russian messaging and no intended decryption tool, suggesting a destruction-focused motive.
- The variant is described as using a GUI-based builder to customize the malware, implying accessibility for creation of destructive samples.
- Files smaller than 2,117,152 bytes are encrypted with AES-256 (CBC-SALTED) and RSA-encrypted keys, while larger files are filled with random data to prevent recovery.
- Encrypted files receive a f uc kazov extension, and the malware targets Windows systems by scanning common user directories on the C: drive.
- The threat displays a propaganda message (stop_propaganda.txt) with anti-Ukraine content and links to Russian-hosted pages, including references to Ukrainian soldiers on a related site.
- Shadow copies are deleted, undermining recovery efforts, and the sample appears to have been compiled around May 16, 2022; Fortinet provides protections and user-awareness resources.
MITRE Techniques
- [T1005] Data from Local System – The malware enumerates the files on all drives. Quote: (‘Once the malware runs, it enumerates the files on all drives.’)
- [T1552.001] Credentials in Files – Each encrypted file contains an RSA encrypted password with a hardcoded public key + base64 encoded AES encrypted file content. Quote: (‘Each encrypted file contains an RSA encrypted password with a hardcoded public key + base64 encoded AES encrypted file content.’)
- [T1070.004] File Deletion – Inhibits recovery via deletion of shadow copies from the compromised machine. Quote: (‘deletion of shadow copies from the compromised machine, which inhibits file recovery’)
- [T1082] System Information Discovery – System information-related discovery is implied by the malware’s drive/file enumeration behavior. Quote: (‘System Information Discovery’)
- [T1059] Command-Line Interface – The activity aligns with execution interfaces; the malware is configurable via a GUI-based builder. Quote: (‘A GUI-based Chaos ransomware builder is known to be available that can easily customize the malware according to a set of options.’)
- [T1490] Inhibit System Recovery – The attacker has no intention of providing a decryption tool, and shadow copy deletion further prevents recovery. Quote: (‘the attacker has no intention of providing a decryption tool. Combining that with the deletion of shadow copies from the compromised machine, which inhibits file recovery.’)
Indicators of Compromise
- [File Hash] Malware sample – 954d8fcd6b74d76999f9ec033ca855ffdab6595be23039f03bc4c6017fa3932c, and 2 more hashes – identified in Fortinet’s CHAOS ransomware analysis
- [File Name] MSIL/Filecoder.AGP!tr.ransom – Fortinet detection name corresponding to the sample
- [Domain] t.me/[removed] – Link embedded in the shown propaganda content
- [Domain] [removed].ru – Russian web page referenced in the propaganda messaging
Read more: https://www.fortinet.com/blog/threat-research/chaos-ransomware-variant-sides-with-russia