Yashma Ransomware Evolves from Chaos


A new variant belonging to the Chaos ransomware family has been examined by researchers with security company Blackberry.

The new variant is called Yashma and is a slight upgrade over the capabilities and feature list of the latest iteration of Chaos ransomware in its 5.0 version.

Chaos 5.0 boasted several new abilities, including being able to encrypt files that are not on the system drive, disable the Windows Task Manager and finally delete itself.

Yashma, the newest iteration and upgrade of what is essentially the same ransomware toolkit, has been upgraded with several new features. Yashma can self-obfuscate, relying on an obfuscation tool compiled using .NET and called Confuser 1.9.0. To make file restoration and recovery more problematic, Yashma can also kill the victim's backup services.

Finally, Yashma has also received a termination protocol that shuts the ransomware down in specific territories, likely to avoid targets in its country of origin, according to Blackberry.

The first samples of Yashma were observed in May 2022. The Chaos ransomware it is based on was in turn using Ryuk as a stepping stone, initially advertised as a .NET-based version of Ryuk.

May 25, 2022