Recent Outbreak of Chaos Ransomware Triggers Series of Cyberattacks

In the ever-evolving world of cyber threats, a new player has emerged – a ransomware operator known as Chaos. Active since February 2025, Chaos has been causing concern among security experts due to its sophisticated tactics and global reach.

The group is primarily targeting organisations in the United States, with victims also reported in the UK, New Zealand, India, and other regions. To gain initial access to victim networks, Chaos employs social engineering techniques, including a mix of email and voice phishing. Once inside, they uninstall security applications and multi-factor authentication tools, and use features such as individual file encryption keys, rapid encryption speeds, and network resource scanning.

Chaos' ransomware encryption is compatible with a wide range of systems, including Windows, ESXi, Linux, and NAS systems. Once the encryption process is complete, the ransomware appends ".chaos" file extensions to the targeted files.

In observed cases, the actor demands a ransom of $300,000, threatening to disclose stolen data, conduct a DDoS attack, and spread news of the data breach if the demand is not met. The ransom note shares a similar theme and structure to Royal/BlackSuit, including references to a security test, double extortion messaging, assurances of data confidentiality, and an onion URL for contact.

To extract data from the victim's machine, Chaos uses legitimate file synchronization and backup software, such as GoodSync. Legitimate Remote Monitoring and Management (RMM) tools like AnyDesk and ScreenConnect are also used to establish persistence.

Interestingly, Chaos avoids collaborating with BRICS/CIS countries, which includes Russia, hospitals, and government entities. The group is, however, seeking collaboration with affiliates.

The ransomware performs selective encryption on targeted files to avoid large or sensitive files that may trigger detection. The net[.]exe utility is used to reset passwords of domain user accounts in the victim network, allowing the attacker to conduct network configuration details and running processes discovery.

Researchers assess with moderate confidence that Chaos is likely formed by former members of the BlackSuit/Royal gang. The ransomware group Chaos is suspected to have been founded by a person or group associated with the Chaos Computer Club (implied by the name and related hacker communities), and it had already been active prior to the current wave of intrusions. However, specific founder identities are not explicitly detailed in the available search results.

Chaos is promoting its ransomware software on the dark web Russian-speaking cybercriminal forum Ransom Anon Market Place (RAMP). As the digital battlefield continues to evolve, it's crucial for organisations to stay vigilant and bolster their cybersecurity defences against threats like Chaos.