A newly emerged ransomware group, known as Chaos, has initiated a series of widespread cyberattacks affecting organizations across multiple sectors. According to researchers at Cisco Talos, the campaign primarily targets victims in the United States, with additional reports in the United Kingdom, New Zealand, and India.

Although Chaos doesn’t seem to focus on any specific industry, its opportunistic approach is aligned with “big-game hunting,” using double-extortion tactics to pressure victims. This includes both the encryption of critical files and threats of data leaks.

In one notable case analyzed by Cisco, the group implemented an unusual negotiation strategy: victims were promised a bonus incentive if they complied quickly and faced additional consequences if they resisted, including the threat of a distributed denial-of-service (DDoS) attack.

“Chaos is a fresh and dangerous player in the ransomware landscape,” Talos researchers noted in their July 24 blog post. “The group had little to no prior activity before its current campaign.”

Declaring Independence from Nation-States

Chaos operates under a Ransomware-as-a-Service (RaaS) model and has been actively recruiting affiliates on Russian-speaking cybercriminal forums, particularly the Ransom Anon Market Place (RAMP). The group has stated it will not target or collaborate with BRICS or CIS countries—including Russia—nor will it attack governments or hospitals.

Their ransomware is capable of compromising Windows, Linux, ESXi, and NAS systems, and includes features like per-file encryption keys, fast encryption, and network scanning to identify valuable assets.

Importantly, this group is not affiliated with previous malware families generated using the Chaos ransomware builder. Instead, Cisco researchers believe, with moderate confidence, that the operators are likely former members of the Royal/BlackSuit gang, based on overlapping code structures and ransom note similarities.

Voice Phishing and Social Engineering Tactics

Chaos leverages social engineering for initial access, combining email phishing with voice-based attacks. Targets receive spam emails prompting them to call a supposed “IT helpdesk.” During the call, the attacker impersonates a cybersecurity professional and guides the victim to launch Microsoft Quick Assist, gaining remote access.

Once inside the system, the attacker performs reconnaissance—gathering network details and scanning for active processes. A series of scripts and commands are executed to prepare the system for malware delivery and establish a connection to a command-and-control (C2) server.

To maintain persistence, the attacker deploys legitimate remote management tools like AnyDesk and ScreenConnect. Tools like net.exe are used to reset domain user passwords, and PowerShell logs are wiped to cover tracks. The attacker may also disable security tools and uninstall MFA applications.

Data exfiltration is carried out using GoodSync, a legitimate synchronization tool. To avoid detection, the attacker filters the files to be stolen, likely excluding large or highly sensitive files.

Encryption and Extortion Methods

The Chaos ransomware encrypts specific parts of files—rather than entire files—to speed up the process, appending “.chaos” extensions to affected documents. The encryption technique allows for rapid impact while maintaining pressure on the victim to pay.

In a documented case, Chaos demanded a $300,000 ransom and offered to provide:

• A decryptor tool tailored to the compromised environment.
• A full penetration test report of the attack.
• A guarantee to delete the stolen data and not attack again.

However, failure to comply triggered escalating threats, including:

• Public disclosure of stolen data.
• A DDoS attack on internet-facing services.
• Notification of the breach to clients and competitors.

Cisco noted that the Chaos ransom note closely mirrors the style of Royal/BlackSuit campaigns, featuring a greeting, a supposed security audit explanation, double-extortion messaging, and an .onion link for contact.

Source: https://www.infosecurity-magazine.com/news/chaos-ransomware-wave-attacks