Full Report
Cisco Talos Incident Response (Talos IR) recently observed attacks by Chaos, a relatively new ransomware-as-a-service (RaaS) group conducting big-game hunting and double extortion attacks.
Analysis Summary
# Threat Actor: Chaos (Ransomware-as-a-Service)
## Attribution & Identity
**Identification:** A relatively new Ransomware-as-a-Service (RaaS) group that emerged around February 2025.
**Aliases/Associations:** Talos believes with moderate confidence that the group may be formed by former members of the BlackSuit (Royal) gang due to similarities in encryption methodology, ransom note structure, and toolset. **Crucially, this new group is explicitly stated to be unrelated to previous variants generated by the Chaos ransomware builder tool.** They exploit the name confusion for obfuscation.
**Promotion:** Actively promoting their cross-platform ransomware in the dark web Russian-speaking forum RAMP (Ransom Anon Market Place).
## Activity Summary
Chaos is focused on "big-game hunting" and runs a double extortion operation. They use a data leak site to disclose information from victims who do not pay the ransom. They provide victims who pay with a decryptor, a detailed penetration test report, and assurance that stolen data will be deleted. Non-compliant victims face data disclosure and DDoS attacks against their internet-facing services, along with notification to competitors and clients.
## Tactics, Techniques & Procedures
- **Initial Access:** Achieved via low-effort spam flooding, escalating to voice-based social engineering (Vishing) to gain access (T1598.004). They also leveraged Valid Accounts (T1078).
- **Persistence/Execution:** Abuse of Remote Monitoring and Management (RMM) tools for persistent connection.
- **Collection/Exfiltration:** Use of legitimate file-sharing software for data exfiltration.
- **Impact/Encryption:** Utilizes multi-threaded rapid selective encryption, targeting local and network resources. Encryption marks files with the `.chaos` extension, and the ransom note is named `readme.chaos[.]txt`. They employ anti-analysis techniques.
- **Ransom Demands:** Initial ransom demand observed was $300K. The ransom note claims they were performing "security testing."
- **MITRE ATT&CK IDs mentioned:** T1078, T1598.004
## Targeting
- **Sectors:** Opportunistic; impacts a wide variety of business verticals without specific focus.
- **Geography:** Predominantly the U.S., with fewer victims reported in the UK, New Zealand, and India (based on their data leak site).
- **Victims:** Explicitly **avoids collaboration with BRICS/CIS countries, hospitals, and government entities.**
## Tools & Infrastructure
- **Malware Families Used:** New Chaos Ransomware (compatible with Windows, ESXi, Linux, and NAS systems). Features include individual file encryption keys, rapid encryption speeds, and network resource scanning.
- **Infrastructure:**
- **Support Email:** win88@thesecure[.]biz
- **Affiliate Registration:** Provides an onion URL for affiliates.
- **Victim Communication:** Uses a victim-specific onion URL provided in the ransom note for negotiation.
- **Management Panel:** Provides a paid, refundable (post-first payment) automated panel for managing targets and communications.
## Implications
Chaos represents a significant emerging threat due to its multi-platform ransomware capabilities and established double-extortion model. The potential link to the BlackSuit/Royal threat actors suggests a potentially experienced operational team. Their deliberate use of the "Chaos" naming convention is a tactic designed to confuse defenders and complicate attribution.
## Mitigations
- Deploy defense mechanisms capable of detecting malicious network activity associated with this threat (e.g., Cisco Secure Network/Cloud Analytics).
- Utilize binary analysis tools (e.g., Cisco Secure Malware Analytics) to identify malicious payloads.
- Implement Zero Trust principles (e.g., Cisco Secure Access) for secure access, regardless of user location.
- Ensure robust secure internet gateway capabilities (e.g., Umbrella) to block known malicious domains/IPs.
- Deploy Multi-Factor Authentication (e.g., Cisco Duo) to mitigate credential compromise risks related to potential initial access via valid accounts.
- Update Snort rules (SIDs: 65125, 65126 for Snort2; 301273 for Snort3).
- Implement AV detection for Win.Ransomware.Chaos-10045485-0 (ClamAV).