Security researchers have revealed the details of the newest addition to Chaos ransomware’s family, dubbed Yashma. According to the joint analysis of a cybersecurity researcher and an intelligence team, the Chaos ransomware builder has included Yashma in its family, and it is currently at version 6.0 malware.
Its developers offer the newly discovered strain to other threat groups, which indicates that anyone can purchase the builder and create their strain. Moreover, the researchers assumed that Yashma had undergone five iterations of its operators to improve its capabilities.
Chaos 4.0 expanded its encryption process by increasing the capsize of files that can be encrypted, unlike the first three variants of Chaos ransomware which is more likely to be a destructive kind of trojan.
Moreover, the fourth version has also been constantly weaponised by ransomware, collectively known by many as Onyx. This month, the operators of this ransomware strain have been updating the ransom notes and refined the list of file extensions that they can target in the future.
On the other hand, the fifth version of Chaos tried to resolve the biggest problem of its previous versions, such as the inability to encrypt files larger than 2MB without corrupting them.
Yashma has been the most competent version of any strain released by the Chaos ransomware group.
Yashma is the newest addition to the Chaos ransomware family that features two new improvements. These upgrades include the ability to halt execution based on the target’s location and stop various processes aligned with backup software and AV solutions.
The Chaos ransomware started as a basic attempt of cybercriminals to compile a [.]NET ransomware, but it evolved into a wiper or a file-destructor. It has evolved into full-fledged ransomware that attached additional functionality and features with every following version.
The upgrades of Chaos came into fruition after it was discovered to back the Russian government during this ongoing geopolitical conflict against Ukraine. Researchers then proved this when a recent post-encryption activity provided an alert containing a link redirecting a target to a website filled with pro-Russian messages.
