New: Threat Exposure Validation Impact Report 2025
Learn More
Join our Summer Webinar Series on Threat Exposure Validation
Register Now
Come meet us at Black Hat USA 2025 | Booth 1640
Book a Meeting

New Chaos Ransomware Builder Variant "Yashma" Discovered in the Wild

May 29, 2022

Chaos is a customizable ransomware builder that emerged in underground forums, by falsely marketing itself as the .NET version of Ryuk despite sharing no such overlaps with the notorious counterpart.
The fact that it's offered for sale also means that any malicious actor can purchase the builder and develop their own ransomware strains, turning it into a potent threat.
It has since undergone five successive iterations aimed at improving its functionalities: version 2.0, version 3.0, version 4.0, and version 5.0.
While the first three variants of Chaos functioned more like a destructive trojan than traditional ransomware, Chaos 4.0 added further refinements so as to increase the upper limit of files that can be encrypted to 2.1MB.

Version 4.0 has also been actively weaponized by a ransomware collective known as Onyx by making use of an updated ransom note and a refined list of file extensions that can be targeted.
Yashma is the latest version to join this list, featuring two new improvements, including the ability to stop execution based on a victim's location and terminate various processes associated with antivirus and backup software.
The development comes as a Chaos ransomware variant has been spotted siding with Russia in its ongoing war against Ukraine, with the post-encryption activity leading to an alert containing a link that directs to a website with pro-Russian messages.