BlackSuit Ransomware Crack Down Results In Chaos Rebrand
Cisco Talos Incident Response recently uncovered a ransomware-as-a-service (RaaS) operation called "Chaos." This group specializes in attacking large organizations, stealing data, and demanding a ransom. It often threatens to leak victim data if the ransom goes unpaid, otherwise known as the double extortion tactic.
Another ransomware operation, "Chaos," already exists; this publication was covered in April 2024. However, the Chaos discovered by Cisco Talos appears to be a rebranding of the BlackSuit ransomware operation.
Cisco Talos reports that Chaos emerged in February 2025 and markets itself on Russian‑language cybercrime forums such as the Ransom Anon Market Place (RAMP). It promotes ransomware as software compatible with Windows, Linux, ESXi, and NAS devices.
Chaos claims to offer features like fast multi‑threaded encryption, individual encryption keys per file, and automated network scanning. It also provides affiliate partners with a management panel that requires a refundable entry fee.
Talos researchers believe that Chaos consists of former members or a rebranding of the BlackSuit ransomware gang. They based this assessment on shared encryption methods, ransom note formatting, and similar tool usage between the two groups. According to the group's forum posts, Chaos explicitly claims it will not target BRICS and CIS countries, hospitals, or government institutions.
Regarding the need to rebrand, law enforcement recently seized the BlackSuit ransomware operation's dark web extortion infrastructure, including its data‑leak blog and negotiation portals, as part of a coordinated international effort known as Operation Checkmate.
The U.S. Department of Homeland Security Investigations led the seizure, supported by agencies such as the U.S. Secret Service, the UK National Crime Agency, the Dutch National Police, the German State Criminal Police Office, Europol, and Ukraine's Cyber Police. The Romanian cyber‑security firm Bitdefender (Draco Team) also provided expert assistance.
Bleeping Computer would later confirm the takedowns. Visitors to BlackSuit's .onion sites now see official seizure banners dismissing the group's data‑extortion platform and signaling disruption of its operations.
BlackSuit emerged in mid‑2023 as a rebranding of Royal (formerly known as Quantum), a ransomware group linked to Conti. It targeted industries such as healthcare, government, education, and manufacturing, demanding individual ransoms ranging from approximately 1 million to 60 million USD. Total known ransom demands exceeded 500 million USD across hundreds of victims.
Chaos appears to remain operational and has not suffered comparable disruption yet. Its emergence alongside BlackSuit's takedown highlights ransomware actors' evolving, adaptive nature and underscores the need for organizations to stay vigilant and prepare for rebranded threats.
Chaos Technical Details
Chaos appears opportunistic, affecting many industries without focusing on any particular vertical. Based on listings on the group's data-leak site, most victims have been in the U.S., along with some in the UK, New Zealand, and India.
A typical Chaos infection follows a multi-stage process:
Initial access: Attackers start with spam campaigns, then escalate to voice‑based social engineering (vishing). They often claim to be IT staff and convince the target to open remote assistance tools, sometimes using Quick Assist, granting them access to the environment.
Persistence achieved using remote tools: Once inside, attackers install legitimate remote monitoring and management (RMM) tools such as AnyDesk, ScreenConnect, or OptiTune to maintain long‑term access without detection.
Lateral movement and reconnaissance: Attackers use built‑in Windows tools like Remote Desktop Protocol (RDP), SMB shares, and Impacket scripts to move laterally within the network and escalate privileges.
Data exfiltration: Attackers steal sensitive data before encrypting files, usually via file‑sharing tools or remote access channels. This stolen data supports the double extortion strategy.
Encryption and ransom note delivery: Chaos appends the file extension ".chaos" to encrypted files and drops a ransom note named readme.chaos.txt. In the note, the attackers claim they were performing a "security test" and urge contact via a victim‑specific Onion address—rather than providing payment instructions directly.
Extortion pressure tactics using the double extortion method: To coerce payment, Chaos may demand around 300,000 USD and offer a decryptor, a security audit report, and a promise to delete stolen data. If the ransom isn't paid, the group threatens to leak data, launch DDoS attacks, and inform the victim's clients or competitors.
Chaos ransomware uses selective, high‑speed encryption, which allows it to encrypt files quickly by selecting certain files and using multiple encryption threads. This makes data encryption faster and harder to stop when a threat actor begins the process.
The malware component avoids detection by refusing to run in sandbox or virtual machine environments and by attempting to uninstall security tools found on the target machine. These features help Chaos encrypt many files rapidly while limiting forensic visibility and minimizing recovery chances.
Talos believes the group adopted the name "Chaos" confuse the security community, since a different Chaos ransomware operation has existed, possibly since 2021. This newer group is unrelated to earlier Chaos variants, and the confusion generated is intended to mislead analysts.
Chaos reflects a broader trend of stealthy, fast‑moving ransomware groups that rely on human engineering and living‑off‑the‑land tools rather than noisy malware. This makes combating and defending against such attacks even more difficult. To reduce risk, Cisco Talos advises:
- Educate employees to never share credentials over unverified calls or tools.
- Monitor the installation and use of remote access tools tightly.
- Apply strong antivirus, anti‑phishing, and email filtering measures.
- Keep critical systems up to date with patches and restrict administrative access.
- Maintain offline backups to reduce ransomware impact.
Chaos is a sophisticated and aggressive RaaS operation that emerged in early 2025. It is likely tied to the dismantled BlackSuit gang and enforces high‑impact double extortion attacks across multiple operating systems. The group combines voice phishing, misuse of legitimate tools, rapid encryption, and network stealth to target organizations with minimal fuss.
Share:
Facebook
X.com
LinkedIn
Copy Link
Karolis Liucveikis
Experienced software engineer, passionate about behavioral analysis of malicious apps
Author and general operator of PCrisk's News and Removal Guides section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over 8 years working in this branch. He attended Kaunas University of Technology and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications.
PCrisk security portal is brought by a company RCS LT.
Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.
Our malware removal guides are free. However, if you want to support us you can send us a donation.
DonatePCrisk security portal is brought by a company RCS LT.
Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.
Our malware removal guides are free. However, if you want to support us you can send us a donation.
Donate
▼ Show Discussion