Chaos Ransomware Strikes: New Wave of Cyberattacks
▼ Summary
– A new ransomware group called Chaos is targeting various sectors, primarily in the US, UK, New Zealand, and India, using opportunistic attacks and double-extortion tactics.
– Chaos operates as a ransomware-as-a-service (RaaS) group, avoids BRICS/CIS countries, and promotes its cross-platform malware on dark web forums like RAMP.
– The group gains initial access via social engineering, combining email and voice phishing to trick victims into enabling remote access through tools like Microsoft Quick Assist.
– Chaos uses legitimate tools like AnyDesk and GoodSync for persistence and data exfiltration, while deleting logs and disabling security measures to evade detection.
– The group employs a unique negotiation strategy, offering incentives like penetration test reports for payment but threatening DDoS attacks and data leaks if demands are refused.
A newly emerged ransomware group dubbed Chaos has unleashed a series of cyberattacks across multiple industries, demonstrating sophisticated tactics that set it apart from typical cybercriminal operations. Security researchers have identified this threat actor as particularly aggressive, employing double extortion techniques alongside psychological pressure to coerce victims into paying ransoms.
The group’s attacks have primarily targeted organizations in the United States, though incidents have also been reported in the UK, New Zealand, and India. Unlike many ransomware operations that specialize in specific sectors, Chaos appears to cast a wide net, pursuing opportunistic targets rather than focusing on particular industries.
What makes this group stand out is its unconventional negotiation approach. In one documented case, the attackers offered victims an added “reward” for compliance, including a penetration test report alongside the decryption key. Conversely, those refusing to pay faced escalated threats, data leaks, DDoS attacks, and even public shaming by notifying competitors and clients of the breach.
Chaos operates as a ransomware-as-a-service (RaaS) provider, actively recruiting affiliates on underground forums like RAMP, a Russian-language cybercriminal marketplace. The group claims independence from state-sponsored actors, explicitly avoiding targets in BRICS and CIS nations, including Russia, as well as hospitals and government entities.
Technical analysis reveals that Chaos’ malware is cross-platform, capable of encrypting files on Windows, Linux, ESXi, and NAS systems. The ransomware employs selective encryption to speed up the process, appending the “.chaos” extension to compromised files. Researchers suspect the group may have ties to former BlackSuit/Royal operatives due to similarities in encryption methods and ransom notes.
Initial access often begins with voice-based social engineering. Attackers flood targets with spam emails, prompting them to call a fake IT support line. Once engaged, victims are tricked into enabling Microsoft Quick Assist, granting the hackers remote control. From there, the group conducts reconnaissance, disables security tools, and uses legitimate software like AnyDesk and GoodSync to maintain persistence and exfiltrate data.
To evade detection, Chaos clears PowerShell logs and attempts to uninstall multi-factor authentication (MFA) solutions. The group’s reliance on blended threats, combining encryption, data theft, and DDoS coercion, makes it a particularly dangerous adversary in today’s threat landscape.
Security teams are advised to monitor for unusual remote access activity, enforce strict MFA policies, and educate employees on voice phishing risks. With Chaos rapidly gaining traction, organizations must remain vigilant against this evolving ransomware threat.
(Source: Info Security)
