Chaos ransomware v4


The chaos ransomware is fairly new, first appearing in June 2021 as a builder, offered on multiple darknet forums and marketplaces. It doesn’t appear to have been involved in any significant incidents yet, a few minecraft players don’t count. Unsurprisingly therefore, the sample has not had a single transaction to the wallet.

It isn’t very complicated, as likely a simple proof-of-concept ransomware. Simply a 32bit .NET executable, with the ransom wallpaper base64 encoded in and completely unobfuscated with names.



The execution process is as follows:

  • Make sure only copy running
  • If not running from the temp folder, wait 10 seconds (anti-virus evasion)
  • If not running as admin, copy itself to the roaming folder and run
  • Add itself to the startup folder
  • Delete itself, copy itself to the roaming folder and run
  • Look for directories to encrypt (drives other than C:\ and common user directories)
  • Recursively encrypt the files with the correct file extension and add a random file extension
    • 2.2mb are AES encrypted
    • Over 200mb are partly overwritten with random bytes
    • Inbetween are randomly overwritten
    • Write a ransom note read_it.txt to the directory
  • If running as admin
    • Delete backups
    • Disable recovery modes
    • Delete backup catalog (record of where backups are)
  • Spread to external drives by copying itself to drives which aren’t C:\
  • Drop the ransom message and open in notepad
  • Set the wallpaper
  • Change any bitcoin addresses in the clipboard


Sample: d9771a04128e50870a96bc7ac8605982205011b723810a04a3411a1ac7eba05d


  • surprise.exe
  • svchost.exe
  • read_it.txt

Ransom message:

First of all, sorry. It's just business. 

All your files have been encrypted. All your documents are unavailable. 

The encryption was done using a secret key designed by our company.

In order to decrypt your files you must buy an exclusive key from us.

Do not reset or shutdown - files may be damaged.
Do not rename or move encrypted files - they may be lost forever.
Do not try to delete readme files - files may be damaged.

Please send $150k in Bitcoin to the following wallet: bc1qp94vpfjgm6z7fvcsa43cymjpyytweqjju9u7dp

If you do not own Bitcoin yet, we suggest a quick Google search. 

After 24 hours the payment will double. After 48 hours files will be deleted. 

If you have a proposal within 2 hours you will get a discount, minimizing this tragic event so you can get back to work.

Please contact us via email:

File extensions infected:

.txt, .jar, .dat, .contact, .settings, .doc, .docx, .xls, .xlsx, .ppt, .pptx, .odt, .jpg, .mka, .mhtml, .oqy, .png, .csv, .py, .sql, .mdb, .php, .asp, .aspx, .html, .htm, .xml, .psd, .pdf, .xla, .cub, .dae, .indd, .cs, .mp3, .mp4, .dwg, .zip, .rar, .mov, .rtf, .bmp, .mkv, .avi, .apk, .lnk, .dib, .dic, .dif, .divx, .iso, .7zip, .ace, .arj, .bz2, .cab, .gzip, .lzh, .tar, .jpeg, .xz, .mpeg, .torrent, .mpg, .core, .pdb, .ico, .pas, .db, .wmv, .swf, .cer, .bak, .backup, .accdb, .bay, .p7c, .exif, .vss, .raw, .m4a, .wma, .flv, .sie, .sum, .ibank, .wallet, .css, .js, .rb, .crt, .xlsm, .xlsb, .7z, .cpp, .java, .jpe, .ini, .blob, .wps, .docm, .wav, .3gp, .webm, .m4v, .amv, .m4p, .svg, .ods, .bk, .vdi, .vmdk, .onepkg, .accde, .jsp, .json, .gif, .log, .gz, .config, .vb, .m1v, .sln, .pst, .obj, .xlam, .djvu, .inc, .cvs, .dbf, .tbi, .wpd, .dot, .dotx, .xltx, .pptm, .potx, .potm, .pot, .xlw, .xps, .xsd, .xsf, .xsl, .kmz, .accdr, .stm, .accdt, .ppam, .pps, .ppsm, .1cd, .3ds, .3fr, .3g2, .accda, .accdc, .accdw, .adp, .ai, .ai3, .ai4, .ai5, .ai6, .ai7, .ai8, .arw, .ascx, .asm, .asmx, .avs, .bin, .cfm, .dbx, .dcm, .dcr, .pict, .rgbe, .dwt, .f4v, .exr, .kwm, .max, .mda, .mde, .mdf, .mdw, .mht, .mpv, .msg, .myi, .nef, .odc, .geo, .swift, .odm, .odp, .oft, .orf, .pfx, .p12, .pl, .pls, .safe, .tab, .vbs, .xlk, .xlm, .xlt, .xltm, .svgz, .slk, .tar.gz, .dmg, .ps, .psb, .tif, .rss, .key, .vob, .epsp, .dc3, .iff, .onepkg, .onetoc2, .opt, .p7b, .pam, .r3d