Chaos Ransomware Upgrades With Aggressive New C++ Variant
Summary
FortiGuard Labs has documented a new, more aggressive Chaos ransomware variant rewritten in C++ (Chaos-C++). The variant introduces faster, more destructive behaviours: a hybrid encryption approach, targeted deletion of very large files, and a clipboard-hijacking feature that swaps copied Bitcoin addresses for an attacker-controlled wallet. It also includes anti-analysis timing delays and refined file-selection logic to speed attacks and reduce detection risk.
Key Points
- Chaos has been rewritten in C++ — the first non-.NET build identified for this family.
- File handling is size-based: files <50MB are fully encrypted; 50B–1.3GB are skipped; >1.3GB are deleted, causing irreversible data loss for archives, databases and backups.
- Introduces clipboard hijacking to replace valid Bitcoin addresses with a hardcoded Bech32 wallet via the Windows Clipboard API (SetClipboardData()).
- Implements a 15-second delay after execution to evade sandbox analysis and reduce detection chances.
- Behaviours shift Chaos closer to a wiper in some cases, which could undermine double-extortion incentives and increase destructive impact.
- FortiGuard/Fortinet already have AV signatures (e.g. W64/Filecoder.XM!tr.ransom) and published IoCs defenders can use to detect the variant.
- Defence priorities: update AV signatures, monitor for unusual clipboard API activity, enforce offline/immutable backups, segment networks and apply rapid incident response playbooks.
Author’s take
Punchy: this isn’t a small tweak — Chaos-C++ is a step-change. Faster execution, selective deletion and wallet hijacking make it nastier and more efficient. Security teams should treat this as a high-priority risk to endpoints, backup integrity and crypto-handling processes.
Why should I read this?
Because if you look after endpoints, backups or payments, this one matters. It deletes big files instead of encrypting them and quietly swaps Bitcoin addresses — so your backups and any crypto transfers could be toast. Read it to know what to watch for and stop the worst before it hits your org.