Chaos Ransomware: New RaaS Group (Likely Former BlackSuit) Unleashes Vishing & Double Extortion
Do Son 
Image: Cisco Talos
Cisco Talos Incident Response (Talos IR) has identified a new ransomware-as-a-service (RaaS) operation known as Chaos, which is actively conducting big-game hunting and double extortion campaigns across the globe. Though Chaos shares a name with previous malware families, Talos makes it clear:
“Talos believes the new Chaos ransomware is unrelated to previous Chaos builder-generated variants… the group uses the same name to create confusion.”
Behind the facade of a new brand lies a sophisticated threat actor potentially composed of former BlackSuit (Royal) ransomware affiliates. According to Talos:
“Talos assesses with moderate confidence that the new group is likely formed by former members of the BlackSuit (Royal) gang, based on similarities in the ransomware’s encryption methodology, ransom note structure, and the toolset used in the attacks.”
Chaos attacks start deceptively simple—with spam floods prompting a vishing (voice phishing) tactic. Victims receive seemingly urgent emails encouraging them to call an impersonated IT support number. Once on the call, threat actors convince targets to initiate Microsoft Quick Assist, enabling remote desktop access.
Once inside, the attackers waste no time installing remote monitoring and management (RMM) tools like AnyDesk, ScreenConnect, OptiTune, Syncro RMM, and Splashtop to establish persistent access.
After gaining a foothold, Chaos operators initiate comprehensive network reconnaissance using tools and commands such as ipconfig, nltest, and tasklist.exe to identify users, network shares, and trust relationships.
Credential harvesting includes Kerberoasting via ldapsearch, and password resets through net.exe. Registry modifications hide user accounts from login screens, all while disabling multi-factor authentication applications using wmic.
Chaos ransomware is deployed through a multi-threaded, hybrid encryption system leveraging Elliptic Curve Diffie-Hellman (ECDH) and AES-256, optimized for both speed and stealth. A single command like the one below can cripple an entire network:
The ransomware appends the .chaos extension and drops a note named readme.chaos.txt.
“The ransomware utilizes multi-threaded rapid selective encryption, anti-analysis techniques, and targets both local and network resources, maximizing impact while hindering detection and recovery.”
Chaos exhibits advanced evasion capabilities, including:
- Environment checks to detect debuggers, sandboxes, and virtual machines
- Obfuscation of strings and XOR-encrypted configuration and ransom notes
- Selective targeting to avoid encrypting system-critical files or directories
“All these detection evasion techniques are implemented… ensuring the malware immediately terminates execution upon detecting any analysis environment.”
The attackers use GoodSync, a legitimate backup tool, to steal data and upload it to actor-controlled cloud storage. Exfiltration is cleverly masked by a renamed binary (wininit.exe) and filters out large or uncommon file types to evade detection.
Victims are then hit with a ransom demand of $300K, communicated via a Tor-based contact portal. Chaos threatens to:
- Leak sensitive data on a public data leak site
- Launch DDoS attacks on internet-facing systems
- Alert clients and competitors of the breach
The ransom note follows a structured, manipulative script, claiming the attack was a “security test” and promising file restoration and data deletion upon payment.
“If the victim fails to pay the ransom, the actor threatens to disclose their stolen data and conduct a distributed denial-of-service (DDoS) attack…”
Talos notes a resemblance between Chaos and former BlackSuit operations:
| Feature | Chaos | BlackSuit (Royal) |
|---|---|---|
| Encryption key flag | /lkey |
-id |
| Partial encryption | /encrypt_step |
-ep |
| VM termination | /kill_vms |
-stopvm |
| Ransom note format | “Security test” tone | Same structure & theme |
These parallels, combined with shared TTPs and RMM usage, strongly suggest operational continuity.
Chaos targets a wide array of sectors across:
- United States
- United Kingdom
- New Zealand
- India
The group operates opportunistically, with no specific industry focus.
Related Posts:
- Hackers launched SSH brute-force attacks on Linux systems to deploy Chaos backdoors
- BlackSuit Affiliates Continue Social Engineering Attacks with Upgraded Java RAT and Cloud Abuse
- BlackSuit’s Advanced Ransomware Tactics Exposed: Masquerades as Antivirus
- Researchers Reveal Sophisticated BlackSuit Ransomware Attack
- Fake Zoom, Real Ransom: Nine-Day Malware Intrusion Ends with BlackSuit Ransomware Blast
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
