The term malware (a portmanteau of the words "malicious" and "software") is used to describe any harmful software intentionally designed to damage or destroy an electronic device.
Your computer has almost certainly had to fight off malware at some point---perhaps a virus, a trojan horse, or a worm---but have you ever encountered ransomware?
If you have, you know how dangerous it can be. If you haven't, well, you just might, because ransomware attacks are on the rise.
What Is Ransomware?
As the name suggests, ransomware describes an attack that locks data on a device and demands a ransom payment to unlock it.
There are countless strains of ransomware, but this type of malicious software mainly falls into two categories: encryption-based ransomware and scareware.
Regular, encryption-based ransomware works by locking the victim out of their files.
Scareware is more sophisticated and uses social engineering techniques, such as impersonating a legitimate entity (e.g. a government, an antivirus company) to trick the victim into paying a fine or purchasing unwanted software.
What Is Chaos Ransomware?
Since June 2021, Trend Micro researchers have been monitoring Chaos, an in-development ransomware builder that is being offered on underground hacker forums, where it is advertised as a new version of Ryuk, which the FBI once described as the most profitable ransomware in history.
Chaos does not seem to be as dangerous and effective as Ryuk, but that doesn't mean it won't be at some point. In fact, according to Trend Micro's Monte de Jesus and Don Ovid Ladores, it has undergone rapid evolution in recent months.
The 1.0 version, which was released on June 9, 2021 seemed more like a Trojan than ransomware, since it destroyed files instead of actually encrypting them.
The slightly more sophisticated version 2.0, which was released on June 17, had the ability to disable Windows recovery mode and advanced options for administrator privileges. Still, it overwrote the files instead of encrypting them, giving victims no incentive to pay the ransom.
Released on July 5, version 3.0 came with its own decrypter builder and had the ability to encrypt files under 1MB in size.
Version 4.0, which was released on August 5, increased the upper limit of files that can be encrypted to 2MB and gave the ransomware builder's users more options, such as the ability to change their victims' desktop wallpapers.
Every iteration would drop the following ransom note, with a Bitcoin wallet address at the bottom.
"All of your files have been encrypted. Your computer was infected with a ransomware virus. Your files have been encrypted and you won't be able to decrypt them without our help. What can I do to get my files back? You can buy our special decryption software, this software will allow you to recover all of your data and remove the ransomware from your computer. The price for the software is $1,500. Payment can be made in Bitcoin only."
Though "far from a finished product," Chaos could cause great damage "in the hands of a malicious actor who has access to malware distribution and deployment infrastructure," according to Trend Micro.
So, how would one go about removing Chaos or similar ransomware?
How to Remove Chaos Ransomware
Never trust cybercriminals: They have no incentive to unlock your files even if you pay the ransom.
If you want to remove ransomware yourself, here's how to do it.
Disconnect From the Internet
You need to isolate the infected device first, in order to prevent the ransomware from infecting other devices on your network.
If your PC is connected to the internet via Ethernet, unplug the Ethernet cable immediately.
If you're connected via a wireless network, you need to disable your Wi-Fi. There are several ways to do this.
The quickest solution would be to turn on Airplane mode, which you can do by navigating to Settings > Network & Internet.
Click on Airplane mode at the Network & Internet page, then use the toggle button at the top to turn Airplane mode on.
Unplug All External Storage Devices
Next, unplug all external storage devices (portable hard drives, flash drives, and such) to prevent the ransomware from infiltrating them, but don't just unplug them manually.
Navigate to This PC, right-click on each connected device, select Eject, and then unplug the devices manually.
You should also sign out of your cloud storage accounts (Microsoft OneDrive, Google Drive, Dropbox, Amazon Drive, etc.) to prevent the ransomware from corrupting or encrypting your cloud data.
Identify the Ransomware
Using a different device, access the internet and look for clues online. For example, you can type out the ransom message, search for crypto wallet addresses or emails the ransomware provided.
If nothing comes up, head over to ID Ransomware. Here you can enter any email addresses the ransomware gives you for contact. ID Ransomware will then identify the malware and provide additional details about it.
Running Decryption
Once you've identified the ransomware, you can try and decrypt your files. Visit the No More Ransom Project's website and click Decryption Tools in the upper right corner.
Enter the name of the identified ransomware in the search bar.
If there are available decryptors, this tool will provide you with a detailed guide on how to remove the ransomware that infiltrated your computer and unlock or recover the encrypted files.
Chaos has not been released into the wild yet, so, naturally, there are no decryptors. To illustrate how this site works, we'll type "Jigsaw" in the search bar.
Jigsaw is an encrypting ransomware malware created in 2016, so it's safe to assume it has infected thousands of computers.
As you can see below, the site offers several different decryptors and how-to guides.
If there are no available decryptors for the ransomware that infected your computer, your best bet is to contact an IT professional.
Backing Up Your Data Is Essential
In 2019, cybersecurity researchers predicted that the cost of global ransomware damages for 2021 would be around $20 Billion. We'll see if their predictions come true, but there have already been some massive ransomware attacks this year.
For example, In May, the meat-processing company JBS Foods paid a $11 million ransom after being attacked. That same month, the American oil pipeline system Colonial Pipeline paid $5 million in ransom after reportedly being attacked by the hacking group DarkSide.
No matter how careful you are, ransomware infections can happen, which is why it's best to take preventive measures on time. If you want to protect important data, back it up.
External storage devices are always an option. If that's not for you, you can always use a cloud service to store and back up your data.