Spectra Ransomware: Chaos Evolution with Double Extortion & System Evasion

In a newly published report, K7 Labs has uncovered a potent ransomware variant known as Spectra Ransomware, first observed in the wild in April 2025. This latest malware appears to be an evolution of the Chaos ransomware family, inheriting destructive traits from predecessors like Yashma and Blacksnake, while introducing enhanced obfuscation, system evasion, and double extortion capabilities.

Upon execution, Spectra immediately encrypts all user files on infected Windows systems, dropping a ransom note titled SPECTRARANSOMWARE.txt. Victims are given a 72-hour deadline to pay $5,000 in Bitcoin—or risk having their files permanently locked and data leaked online.

“The Ransomware note warns the victim with a double extortion, combination of data encryption along with data theft,” K7 Labs warns.

Adding psychological pressure, Spectra even changes the desktop wallpaper to reinforce its presence, using a module named SetWallpaper.

Like its predecessors, Spectra employs tactics to evade detection and avoid drawing attention from certain regions. Using a method called forbiddenCountry, it checks the victim’s keyboard input language and halts execution if it detects Azerbaijan or Turkey.

It also avoids re-infection and analysis using:

• Process detection to terminate if already running
• Registry modification for persistence
• Disabling Task Manager with disableTaskMgr
• Masquerading as svchost.exe in AppData\Roaming

Spectra takes aim at a wide range of backup and antivirus software to maximize data loss and disable recovery. Using a stopBackupServices method, it shuts down services from:

• Veeam, Acronis, Veritas
• Symantec/Norton, TeamViewer, PDVFS, and others

This tactic echoes the strategy used by more sophisticated ransomware families, ensuring victims cannot restore their data without the decryption key.

Spectra selectively targets and encrypts files using a hybrid AES-RSA approach, excluding core system folders to avoid crashing the OS and triggering alerts.

• Standard files: Encrypted with AES and appended with a random 4-letter extension
• Large files (>1.79GB): Filled with question marks ? using AES_Encrypt_Large
• Files named SPECTRARANSOMWARE.txt are explicitly skipped to preserve the ransom message

The ransomware uses a method encryptDirectory to recursively process folders and encrypt files in parallel. Once encryption is complete, the malware drops a ransom note in each encrypted directory and opens it automatically using AddAndOpenNote.

The encryption key itself is generated using CreatePassword, which forms a strong alphanumeric seed, then encrypted via the hardcoded RSA public key. The AES key used for file encryption is appended to each file after RSA encryption, ensuring that manual decryption is practically impossible.

Spectra targets an extensive list of over 200 file types, including:

• Documents: .doc, .xlsx, .pdf, .pptx
• Archives: .zip, .rar, .7z
• Code and configuration: .java, .cpp, .json, .sql, .xml, .ini
• Media: .jpg, .png, .avi, .mkv, .mp4
• Backups and DBs: .bak, .vmdk, .mdf, .accdb, .pst, .dbx

Spectra Ransomware is not just another clone. It combines technical finesse, stealth, and aggressive disruption into a ransomware variant that’s clearly designed to maximize financial gain and operational impact. Its use of evolving code, country-specific exclusion, and service-targeted suppression demonstrates increasing maturity in ransomware development.

“With the increasing risk of malware attacks, it’s important to take steps to protect your data,” the report concludes.

Related Posts:

• Hackers launched SSH brute-force attacks on Linux systems to deploy Chaos backdoors
• Cloudflare Introduces New Spectrum Security Service
• Cybercriminals Seize Chaos Amidst CrowdStrike Outage, Deploying Deceptive Domains
• Clickfix Meets macOS: AMOS Variant Targets Spectrum Users in Credential Harvesting Campaign