{"id":1568,"date":"2025-07-25T12:51:41","date_gmt":"2025-07-25T12:51:41","guid":{"rendered":"http:\/\/ft365.org\/index.php\/2025\/07\/25\/new-chaos-ransomware-emerges-launches-wave-of-attacks\/"},"modified":"2025-07-25T12:51:41","modified_gmt":"2025-07-25T12:51:41","slug":"new-chaos-ransomware-emerges-launches-wave-of-attacks","status":"publish","type":"post","link":"https:\/\/ft365.org\/index.php\/2025\/07\/25\/new-chaos-ransomware-emerges-launches-wave-of-attacks\/","title":{"rendered":"New Chaos Ransomware Emerges, Launches Wave of Attacks"},"content":{"rendered":"
\n

A new ransomware operator called Chaos has launched a wave of intrusions impacting a wide range of sectors, Cisco Talos has reported.<\/p>\n

Victims have been predominantly based in the US, with some in the UK, New Zealand India, according to the actor\u2019s data leak site.<\/p>\n

Targeting appears to be opportunistic and does not focus on any specific verticals. However, Chaos is focused on \u201cbig-game hunting\u201d and uses double-extortion tactics.<\/p>\n

In one incident observed by Cisco, the group adopted a novel negotiation strategy, offering an extra \u2018reward\u2019 for making payment to the attackers, or additional \u2018punishment\u2019 for resisting demands, including the threat of a distributed denial-of-service (DDoS) attack.<\/p>\n

\u201cThe Chaos ransomware actor is a recent and concerning addition to the evolving threat landscape, having shown minimal historical activity before the current wave of intrusions,\u201d the researchers wrote in a blog dated July 24.<\/p>\n

Group Declares Independence from Governments<\/strong><\/h2>\n

The ransomware-as-a-service (RaaS) outfit, which emerged in February 2025, is actively promoting its cross-platform ransomware software on the dark web Russian-speaking cybercriminal forum Ransom Anon Market Place (RAMP) and is seeking collaboration with affiliates.<\/p>\n

The group has explicitly stated that it avoids collaborating with BRICS\/CIS countries, which includes Russia, hospitals and government entities.<\/p>\n

Chaos\u2019 ransomware encryption is compatible with Windows, ESXi, Linux and NAS systems, with features such as individual file encryption keys, rapid encryption speeds and network resource scanning.<\/p>\n

This new gang is not connected to the variants produced by the Chaos ransomware builder tool or its developers.<\/p>\n

The researchers assessed with moderate confidence that Chaos is likely formed by former members of the BlackSuit\/Royal gang. This assessment is based on similarities in the ransomware’s encryption methodology, ransom note structure and the toolset used in the attacks.<\/p>\n

Use of Voice-Based Social Engineering<\/strong><\/h2>\n

Chaos has been observed gaining initial access to victim networks through social engineering, involving a mix of email and voice phishing.<\/p>\n

The attacker initially floods the target with spam emails, encouraging them to contact the threat actor via a telephone call.<\/p>\n

When the victim reaches out, the threat actor impersonates an IT security representative who advises them to launch a built-in remote assistance tool on their Windows machine, specifically Microsoft Quick Assist, and instructs them to connect to the actor\u2019s session.<\/p>\n

Once access is gained, the attacker undertakes post-compromise discovery and reconnaissance, such as network configuration details and running processes.<\/p>\n

A number of scripts and commands are then executed to prepare the environment for the download and execution of malicious files and to connect to a command and control (C2) server.<\/p>\n

Legitimate remote monitoring and management (RMM) tools such as AnyDesk and ScreenConnect are used to establish persistence. The actor also uses the net[.]exe utility to reset the passwords of the enumerated domain user accounts in the victim network.<\/p>\n

PowerShell event logs are deleted on the victim\u2019s machine to evade security controls, and the attackers also attempt to uninstall security or multi-factor authentication (MFA) applications.<\/p>\n

The actor has been observed using GoodSync, a legitimate and widely used file synchronization and backup software, to extract the data from the victim\u2019s machine.<\/p>\n

A command is used to filter the files that are exfiltrated, possibly to avoid large or sensitive files that may trigger detection.<\/p>\n

The ransomware performs selective encryption on the targeted files on the victim machines by encrypting specific portions of the files, enhancing the speed of the encryption. It appends \u201c.chaos\u201d file extensions to the encrypted files on the victim machine.<\/p>\n

Negotiation Strategy Using Extra Incentives<\/strong><\/h2>\n

In a case observed by Cisco, the actor demanded ransom amount of $300,000 through the victim communication channel.<\/p>\n

If the victim paid the demand, the actor promised to provide a decryptor application for targeted environments, along with a detailed report of the penetration test conducted on the victim’s environment.<\/p>\n

They also assured the victim that the stolen data will not be disclosed and will be permanently deleted, ensuring that they will not conduct repeated attacks.<\/p>\n

However, the threat actor made extra threats if the ransom demand was not paid. They threatened to disclose their stolen data and conduct a DDoS attack on all the victim\u2019s internet-facing services. In addition, they threatened to spread news of the data breach to competitors and clients.<\/p>\n

\u201cThe Chaos ransomware ransom note shares a similar theme and structure to Royal\/BlackSuit, including a greeting, references to a security test, double extortion messaging, assurances of data confidentiality and an onion URL for contact,\u201d the researchers added.<\/p>\n<\/p><\/div>\n","protected":false},"excerpt":{"rendered":"

A new ransomware operator called Chaos has launched a wave of intrusions impacting a wide range of sectors, Cisco Talos has reported. Victims have been predominantly based in the US, with some in the UK, New Zealand India, according to the actor\u2019s data leak site. Targeting appears to be opportunistic and does not focus on<\/p>\n","protected":false},"author":2,"featured_media":1569,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-1568","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized"],"featured_image_urls":{"full":["https:\/\/ft365.org\/wp-content\/uploads\/2025\/07\/1568-44ec067c-7877-496e-aa49-6fbeac57322a.jpg",300,300,false],"thumbnail":["https:\/\/ft365.org\/wp-content\/uploads\/2025\/07\/1568-44ec067c-7877-496e-aa49-6fbeac57322a-150x150.jpg",150,150,true],"medium":["https:\/\/ft365.org\/wp-content\/uploads\/2025\/07\/1568-44ec067c-7877-496e-aa49-6fbeac57322a.jpg",300,300,false],"medium_large":["https:\/\/ft365.org\/wp-content\/uploads\/2025\/07\/1568-44ec067c-7877-496e-aa49-6fbeac57322a.jpg",300,300,false],"large":["https:\/\/ft365.org\/wp-content\/uploads\/2025\/07\/1568-44ec067c-7877-496e-aa49-6fbeac57322a.jpg",300,300,false],"1536x1536":["https:\/\/ft365.org\/wp-content\/uploads\/2025\/07\/1568-44ec067c-7877-496e-aa49-6fbeac57322a.jpg",300,300,false],"2048x2048":["https:\/\/ft365.org\/wp-content\/uploads\/2025\/07\/1568-44ec067c-7877-496e-aa49-6fbeac57322a.jpg",300,300,false],"morenews-featured":["https:\/\/ft365.org\/wp-content\/uploads\/2025\/07\/1568-44ec067c-7877-496e-aa49-6fbeac57322a.jpg",300,300,false],"morenews-large":["https:\/\/ft365.org\/wp-content\/uploads\/2025\/07\/1568-44ec067c-7877-496e-aa49-6fbeac57322a.jpg",300,300,false],"morenews-medium":["https:\/\/ft365.org\/wp-content\/uploads\/2025\/07\/1568-44ec067c-7877-496e-aa49-6fbeac57322a.jpg",300,300,false],"crawlomatic_preview_image":["https:\/\/ft365.org\/wp-content\/uploads\/2025\/07\/1568-44ec067c-7877-496e-aa49-6fbeac57322a-146x146.jpg",146,146,true]},"author_info":{"display_name":"henry","author_link":"https:\/\/ft365.org\/index.php\/author\/henry\/"},"category_info":"Uncategorized<\/a>","tag_info":"Uncategorized","comment_count":"0","_links":{"self":[{"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts\/1568","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/comments?post=1568"}],"version-history":[{"count":0,"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts\/1568\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/media\/1569"}],"wp:attachment":[{"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/media?parent=1568"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/categories?post=1568"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/tags?post=1568"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}