Threat Research

Yashma Ransomware, Tracing the Chaos Family Tree

Securonix

Keypoints

  • Chaos began as a .NET-based builder (Ryuk .NET Builder v1.0) and evolved into Chaos v6.0, later branded as “Yashma.”
  • Onyx ransomware, weaponized in April 2022, was built from Chaos v4.0 and showed a 98% match to Chaos v4.0 in tests.
  • Chaos/Yashma progression added encryption capabilities (AES-256) and progressively more sophisticated features across versions (wallpaper change, extended extension lists, and better encryption compatibility).
  • Yashma adds defensive evasion and disruption features, including location-based execution restrictions and stopping various services (AV, vault, backup, storage, RDP).
  • Onyx maintains a leak-site presence and a customized ransom approach, including a Tor-based Onyx News portal for victim communication and data exposure.
  • A wide set of IOCs, evolving IOCs, and YARA rules are provided to detect Chaos/Onyx/Yashma artifacts and builder activity.
  • Victims span multiple sectors (Emergency Services, Medical, Finance, Building, Agriculture) with U.S. targets reported in recent campaigns.

MITRE Techniques

  • [T1566] Spearphishing – “An unknown APT group is targeting Russian government entities with at least four separate spear-phishing campaigns since the beginning of the Ukraine conflict.”
  • [T1021] Lateral Movement – “Propagate the malware over network connections.”
  • [T1486] Data Encrypted for Impact – “AES-256 to encrypt files” ( Chaos v3.0/ v4.0 encryption processes are described as encrypting files with AES-256.)
  • [T1490] Inhibit System Recovery – “Delete shadow copies” and related recovery-disrupting actions like “Disable Windows recovery mode” and backing up data being removed.
  • [T1547.001] Registry Run Keys/Startup Folder – “Add RegKey to the following location: SOFTWAREMicrosoftWindowsCurrentVersionRun; Key: Microsoft Store; Value: %Current Path/Location%”
  • [T1023] Shortcut Modification – “Create a .LNK file in the victim’s Startup folder.”
  • [T1562.001] Impair Defenses – “Stop various services on the victim device” (e.g., AV, backup, vault, storage, RDP-related services) and “Disable the Windows task manager.”
  • [T1489] Service Stop – “Stop various services on the victim device” (explicitly listed in the Chaos/Yashma context).

Indicators of Compromise

  • [File Extension] Appended extension pattern – .[a-z][A-Z]{4} (default) – used by Chaos/Onyx/Yashma variants
  • [Registry Key] Run Keys/Startup Folder – RegKey Add: SOFTWAREMicrosoftWindowsCurrentVersionRun – Value: Microsoft Store / Path
  • [Mutex] 1qw0ll8p9m8uezhqhyd – observed in operation
  • [Dropped File] svchost.exe – dropped under %AppData%Roaming
  • [File Hash] 0d8b4a07e91e02335f600332644e8f0e504f75ab19899a58b2c85ecb0887c738 (Chaos v1/v2 samples) and f41962f51583d08ed7ca796b125f2300e03035b8790590e8e2d036f53bd9be79 (Ransomware v1 samples)
  • [ ransom note file ] read_it.txt dropped in affected folders
  • [Data Marker] Encryption Key appended to the beginning of encrypted files (decrypted by new decryptor in v3/v4+ variants)

Read more: https://blogs.blackberry.com/en/2022/05/yashma-ransomware-tracing-the-chaos-family-tree

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint