Chaos Ransomware Emerges: A New Threat Following BlackSuit Takedown

Recently, law enforcement agencies globally celebrated the takedown of the BlackSuit ransomware group, only for a new threat to emerge almost immediately thereafter. This highlights the persistent game of whack-a-mole that cybersecurity experts face. The new group, known as Chaos, is suspected to include some former BlackSuit members.

Chaos has made a name for itself through its unique moniker, deriving from the '.chaos' extension it marks on encrypted files, and the ransom notes labeled 'readme.chaos[.]txt'. According to Cisco's Talos Security Group, Chaos has been actively targeting organizations in the US and other countries such as the UK, New Zealand, and India since its inception in February. The group has been performing what security researchers call 'big-game hunting'—carrying out operations aimed at extracting large sums—reportedly demanding as much as $300,000 from victims.

Those who fall prey to Chaos receive a promise of a decryptor in return for payment, along with a report detailing network vulnerabilities. Victims who refuse to comply face threats of data being publicly leaked and cyber-attacks such as distributed denial-of-service (DDoS).

Interestingly, Cisco's report coincided with Operation CheckMate, an international crackdown that disabled BlackSuit's digital footprint. This included cooperation among US, European, and other international law enforcement agencies. Despite these efforts, the emergence of Chaos raises concerns about the rebranding tactics used by ransomware groups to continue their nefarious activities.

Talos researchers note parallels between Chaos and BlackSuit in their encryption methods, ransom note patterns, and tools like LOLbins used for compromising Windows environments. The term LOLbins refers to legitimate Windows files that attackers can exploit.

Chaos typically gains initial access via social engineering attacks, using email or voice phishing to trick targets into connecting with a supposed IT representative. The victim is then coaxed into using Windows' Quick Assist to establish a remote connection, thereby giving attackers access.

Before BlackSuit, there was Royal and even earlier, Conti—a pattern suggesting the cyclical nature of ransomware operations wherein splinter groups reemerge with new identities.

For further reading on Chaos and related cyber threats, you can follow the ongoing research by security professionals like Dan Goodin, a seasoned security editor involved in deep-diving malware, computer espionage, and much more.