Yashma Ransomware Detection: the Latest Chaos Builder Variant

Chaos graphical user interface (GUI) builder has been on the market for less than a year, allowing adversaries to craft new ransomware strains. A new ransomware variant dubbed Yashma is its 6th version, available from May 2022. Yashma is the most refined version of this GUI ransomware builder that is known for its flexibility and continuous advancement observed within every iteration.

Detect Yashma Ransomware

To detect the suspicious activity associated with the Yashma ransomware, the SOC Prime’s Detection as Code platform’s new and existing users can download a dedicated Sigma rule created by our Threat Bounty developer, Onur Atali:

Suspicious Yashma Ransomware Persistence by Adding of Run Key to Registry (via registry_event)

The View Detections button will take you to the repository of detection content associated with the attacks, leveraging other variants of Chaos ransomware. Adepts at cybersecurity are more than welcome to join the Threat Bounty program to publish SOC content on the industry-leading platform and get rewarded for their valuable input.

View Detections Join Threat Bounty

Yashma Ransomware Analysis

The BlackBerry Research & Intelligence Team released a thorough analysis of the Chaos ransomware line. Chaos is a GUI-based builder for ransomware that has been on the dark market since last Summer. Originally, this ransomware builder was released under the name Ryuk .NET Builder, advertised as a .NET version of Ryuk, later rebranding and resurfacing its 2nd version under a new moniker, Chaos, with 11 months separating the original and the last variant. According to the current intelligence, Chaos is known to support Russia in the ongoing country’s military and cyber aggression against Ukraine.

Different variants of Chaos have been spotted massively used in the wild, with multiple operators behind the attacks. Adversaries mainly target entities in medical, agriculture, financial, building industries, and emergency services providers located in the U.S.

The first released Chaos variant acted more as a trojan than ransomware. With each new release, Chaos operators re-equipped their product to perform as classical ransomware, encrypting the victim’s files, leaving a ransomware note, and demanding the payment in Bitcoins. The Yashma version gained new functionality that allows it to kill different services on a compromised device, such as antivirus and backup software.

Security breaches are now the top issue affecting all users and organizations. In this environment, it is only wise to fetch the opportunity to take your defense & detection routine up a notch. To augment your proactive and retrospective threat hunting, visit the SOC Prime platform.