Unmasking the new Chaos RaaS group attacks

SUMMARY :

Cisco Talos Incident Response has observed attacks by Chaos, a new ransomware-as-a-service group conducting big-game hunting and double extortion attacks. The group uses spam flooding, voice-based social engineering, RMM tool abuse, and legitimate file-sharing software for data exfiltration. Their ransomware employs multi-threaded rapid selective encryption and anti-analysis techniques, targeting both local and network resources. Chaos is likely formed by former BlackSuit (Royal) gang members, based on similarities in encryption methodology, ransom note structure, and toolset. The group has impacted various business verticals, predominantly in the U.S., UK, New Zealand, and India. They use the '.chaos' file extension and demand ransoms around $300K, threatening data disclosure and DDoS attacks if not paid.

OPENCTI LABELS :

raas,blacksuit,royal


AI COMMENTARY :

1. Cybersecurity professionals have recently turned their attention to a rising threat actor known as Chaos, a new ransomware-as-a-service group that targets high-value organizations through big-game hunting and double extortion schemes. Cisco Talos Incident Response teams have documented a series of sophisticated incursions attributed to this group, revealing a pattern of attacks that combine social engineering and technical prowess to compromise network defenses and steal sensitive data.

2. Chaos deploys a multifaceted intrusion strategy that often begins with massive spam flooding campaigns and voice-based social engineering calls designed to manipulate employees into granting initial access or divulging credentials. By exploiting remote monitoring and management tools, the group gains persistent footholds and leverages legitimate file-sharing platforms to exfiltrate data without immediately triggering alarms. This blend of psychological manipulation and tool abuse underscores the group’s adaptability and determination to evade detection.

3. Once inside the target environment, the group unleashes its proprietary ransomware, which is engineered for speed and stealth. Employing multi-threaded rapid selective encryption, Chaos can encrypt critical files across both local and network resources in record time. Anti-analysis techniques are embedded within the payload to thwart forensic examination and sandbox analysis, effectively delaying incident response efforts and increasing pressure on victims to meet ransom demands.

4. Threat intelligence analysis suggests that Chaos may be an offshoot of the former BlackSuit, also known as the Royal ransomware gang. Parallels in encryption methodology, ransom note formatting, and the use of similar toolsets indicate a potential overlap in personnel or operational tactics. These insights point to a trend whereby seasoned ransomware operators evolve under new banners to continue their illicit activities with fresh branding and improved malware features.

5. Chaos attacks have impacted an array of business verticals, with the majority of incidents reported in the United States, United Kingdom, New Zealand, and India. Industries ranging from manufacturing and healthcare to finance and professional services have fallen victim to data theft, encryption, and threats of public disclosure or distributed denial-of-service attacks if ransoms are not paid. The geographic and sector diversity of these incidents highlights the group’s willingness to pursue any organization deemed capable of meeting high ransom demands.

6. In each attack, encrypted files are appended with the ".chaos" extension. Victims receive ransom notes demanding payments in the vicinity of three hundred thousand dollars, accompanied by warnings that failure to comply will result in the release of stolen data and the initiation of disruptive DDoS campaigns. This dual-threat posture intensifies the pressure on victims, prompting many to engage in negotiations in the hope of a swift resolution.

7. As Chaos RaaS continues to expand its reach, organizations must bolster their defenses by implementing robust email filtering, user awareness training, and strict access controls for remote management tools. Continuous monitoring for anomalous file transfers and rapid incident response planning are essential to mitigate the impact of ransomware events. By staying informed about the evolving tactics of groups like Chaos and its ties to predecessors such as BlackSuit, security teams can better anticipate attacks and protect critical assets.


OPEN NETMANAGEIT OPENCTI REPORT LINK!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Unmasking the new Chaos RaaS group attacks