A new ransomware operator called Chaos has launched a wave of intrusions impacting a wide range of sectors, Cisco Talos has reported.
Victims have been predominantly based in the US, with some in the UK, New Zealand India, according to the actor’s data leak site.
Targeting appears to be opportunistic and does not focus on any specific verticals. However, Chaos is focused on “big-game hunting” and uses double-extortion tactics.
In one incident observed by Cisco, the group adopted a novel negotiation strategy, offering an extra ‘reward’ for making payment to the attackers, or additional ‘punishment’ for resisting demands, including the threat of a distributed denial-of-service (DDoS) attack.
“The Chaos ransomware actor is a recent and concerning addition to the evolving threat landscape, having shown minimal historical activity before the current wave of intrusions,” the researchers wrote in a blog dated July 24.
Group Declares Independence from Governments
The ransomware-as-a-service (RaaS) outfit, which emerged in February 2025, is actively promoting its cross-platform ransomware software on the dark web Russian-speaking cybercriminal forum Ransom Anon Market Place (RAMP) and is seeking collaboration with affiliates.
The group has explicitly stated that it avoids collaborating with BRICS/CIS countries, which includes Russia, hospitals and government entities.
Chaos’ ransomware encryption is compatible with Windows, ESXi, Linux and NAS systems, with features such as individual file encryption keys, rapid encryption speeds and network resource scanning.
This new gang is not connected to the variants produced by the Chaos ransomware builder tool or its developers.
The researchers assessed with moderate confidence that Chaos is likely formed by former members of the BlackSuit/Royal gang. This assessment is based on similarities in the ransomware’s encryption methodology, ransom note structure and the toolset used in the attacks.
Use of Voice-Based Social Engineering
Chaos has been observed gaining initial access to victim networks through social engineering, involving a mix of email and voice phishing.
The attacker initially floods the target with spam emails, encouraging them to contact the threat actor via a telephone call.
When the victim reaches out, the threat actor impersonates an IT security representative who advises them to launch a built-in remote assistance tool on their Windows machine, specifically Microsoft Quick Assist, and instructs them to connect to the actor’s session.
Once access is gained, the attacker undertakes post-compromise discovery and reconnaissance, such as network configuration details and running processes.
A number of scripts and commands are then executed to prepare the environment for the download and execution of malicious files and to connect to a command and control (C2) server.
Legitimate remote monitoring and management (RMM) tools such as AnyDesk and ScreenConnect are used to establish persistence. The actor also uses the net[.]exe utility to reset the passwords of the enumerated domain user accounts in the victim network.
PowerShell event logs are deleted on the victim’s machine to evade security controls, and the attackers also attempt to uninstall security or multi-factor authentication (MFA) applications.
The actor has been observed using GoodSync, a legitimate and widely used file synchronization and backup software, to extract the data from the victim’s machine.
A command is used to filter the files that are exfiltrated, possibly to avoid large or sensitive files that may trigger detection.
The ransomware performs selective encryption on the targeted files on the victim machines by encrypting specific portions of the files, enhancing the speed of the encryption. It appends “.chaos” file extensions to the encrypted files on the victim machine.
Negotiation Strategy Using Extra Incentives
In a case observed by Cisco, the actor demanded ransom amount of $300,000 through the victim communication channel.
If the victim paid the demand, the actor promised to provide a decryptor application for targeted environments, along with a detailed report of the penetration test conducted on the victim’s environment.
They also assured the victim that the stolen data will not be disclosed and will be permanently deleted, ensuring that they will not conduct repeated attacks.
However, the threat actor made extra threats if the ransom demand was not paid. They threatened to disclose their stolen data and conduct a DDoS attack on all the victim’s internet-facing services. In addition, they threatened to spread news of the data breach to competitors and clients.
“The Chaos ransomware ransom note shares a similar theme and structure to Royal/BlackSuit, including a greeting, references to a security test, double extortion messaging, assurances of data confidentiality and an onion URL for contact,” the researchers added.
