Cisco Talos researchers on 24 July 2025 detailed Chaos, a newer Ransomware-as-a-Service (RaaS) group that specializes in big company hunting and double extortion attacks (meaning it both encrypts victim files and steals data for potential leaking). According to Cisco Talos, the group emerged in early February 2025 and appears to be made up of former BlackSuit ransomware gang members "based on similarities in the ransomware's encryption methodology, ransom note structure, and the toolset used in the attacks." If that is true, the group's methods go back a few years further, as BlackSuit is a fairly prolific gang that appeared in 2023. It spun off of Royal ransomware, which itself was suspected to have been made up of former Conti members.[1]
See: https://redskyalliance.org/automotive/blacksuit-inside-auto-dealerships
This reflects the ever-shifting state of the ransomware landscape. Gang members can be affiliated with multiple groups, and when one group gets its infrastructure taken down, another rebranded version with new servers and Dark Web leak sites takes its place. BlackSuit could well go in that direction, as the gang's Dark Web domains were seized by law enforcement recently. Its leak sites now display a notice, stating US Homeland Security has seized the site as part of an international multi-agency investigation known as "Operation Checkmate." Logos for Ukrainian, German, and UK law enforcement were also visible in the notice. Chaos, at least as of this writing, has not suffered similar disruption. Its data leak site remains online.
Chaos ransomware, according to Cisco Talos researchers, has impacted a wide range of victims predominantly based in the US, followed by UK, New Zealand, and India. The group actively promotes its ransomware to potential affiliates on the Russian language cybercrime forum RAMP and advertises it as cross-platform. "They emphasize that the new Chaos ransomware software is compatible with Windows, ESXi, Linux and NAS systems, with features such as individual file encryption keys, rapid encryption speeds and network resource scanning, all with a strong emphasis on high-speed encryption and robust security measures," Cisco Talos blog authors Anna Bennett, James Nutland, and Chetan Raghuprasad wrote. "Additionally, the group provides an automated panel for managing targets and communications, which requires a paid entry fee that is refundable upon the first case of payment."
The researchers noted that the gang states' Dark Web forum posts stated that it does not collaborate with BRICS member nations or CIS [Commonwealth of Independent States] countries, hospitals, and government entities. Once the group breaches a victim environment, it encrypts files using a ".chaos" file extension and adds a ransom note that presents Chaos as a kind of penetration testing firm. In exchange for an extortion payment (which Chaos calls a "peaceful resolution"), the group promises to delete stolen data and provide a detailed security report. In the event no payment is made, Chaos threatened to delete the victim's ransomware decryptor, launched DDoS attacks against them, and call competitors and clients to inform them of the breach. In one example Cisco Talos provided, the initial ransom demand was $300,000.
The blog post described a typical attack path. A Chaos actor would social engineer their way into a victim's environment using a remote access tool, launch multiple discovery commands, execute malicious code, connect to a command-and-control server, use remote monitoring tools to maintain persistence, and access credentials for privilege escalation and lateral movement. Once the Chaos actor has achieved maximum access, they exfiltrate victim data and encrypt files in the environment.
Chaos ransomware includes multiple methods to obfuscate detection, such as "multi-threaded rapid selective encryption" and anti-analysis techniques that detect debugging, sandboxes, and virtual machine environments. Although elements of Chaos' tactics, techniques, and procedures stand out, it's important to note that in a typical attack, the gang gains initial access through social engineering techniques like phishing and vishing.
General security hygiene best practices are your friends. If you get a call from someone in IT asking for sensitive information connected to things like multifactor authentication (MFA) or a VPN, verify the request through a different line of communication (ideally in person). If you get a suspicious email or any email asking you to log in, check the email address sending it to you. And as always, be careful when granting remote access. Phishing-resistant authentication, such as FIDO keys, may also be worth considering depending on the organization.
This article is shared with permission at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators of compromise information via a notification service (RedXray) or an analysis service (CTAC). For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www.redskyalliance.org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5207428251321676122
[1] https://www.darkreading.com/cyberattacks-data-breaches/chaos-ransomware-rises-blacksuit-falls
Comments