Cisco Talos Blog: Unmasking the new Chaos RaaS group attacks

Jul 24, 2025

—

Source URL: https://blog.talosintelligence.com/new-chaos-ransomware/
Source: Cisco Talos Blog
Title: Unmasking the new Chaos RaaS group attacks

Feedly Summary: Cisco Talos Incident Response (Talos IR) recently observed attacks by Chaos, a relatively new ransomware-as-a-service (RaaS) group conducting big-game hunting and double extortion attacks.

AI Summary and Description: Yes

Summary: The text reveals in-depth information about the newly emerged Chaos ransomware group, detailing their innovative tactics, techniques, and procedures (TTPs) for executing ransomware attacks. This information is crucial for security professionals looking to protect infrastructure and data from evolving threats in the cybersecurity landscape.

Detailed Description: The text provides a comprehensive analysis of the Chaos ransomware, which has emerged as a significant threat in the realm of ransomware-as-a-service (RaaS). This analysis includes a detailed description of the group’s attack methodologies, victimology, and the technical mechanisms behind their operations.

Key Points:
– **Ransomware Overview**: Chaos is a new RaaS group known for big-game hunting and double extortion tactics.
– **Attack Techniques**: Initial access gained through social engineering (spam and voice phishing), RMM tool abuse, and legitimate file-sharing for data exfiltration.
– **Technical Sophistication**: The ransomware employs multi-threaded selective encryption and anti-analysis techniques, complicating detection and hindering recovery efforts.
– **Confusion Strategy**: The name “Chaos” is deliberately chosen to confuse security professionals and obscure its origins from known variants, complicating risk assessments and mitigation efforts.
– **Target Dynamics**: The group targets a broad range of industries without focusing on any specific sector, primarily impacting victims located in the U.S., UK, New Zealand, and India.
– **Operational Tactics**:
– Social engineering tactics used for gaining initial access.
– Post-compromise reconnaissance and discovery within victim environments.
– Utilization of remote management tools for persistent access.
– Execution of commands through PowerShell and Windows Management Instrumentation (WMI) for operational execution.
– **Data Exfiltration and Encryption**: Chaos uses legitimate software for data exfiltration, applies selective encryption to speed up attacks, and gives each file a unique encryption key.
– **Ransom Demands**: A ransom amount of $300K is demanded, with threats of DDoS attacks and data leaks if the ransom is not paid.
– **Security Recommendations**: Cisco has outlined several security solutions and endpoint detections that can help organizations protect against the Chaos ransomware.

This detailed account sheds light on not only the mechanics of the Chaos ransomware but also emphasizes the need for heightened vigilance and advanced security measures to mitigate threats posed by such sophisticated ransomware operators. The narrative serves as a clear call to action for IT security professionals and organizations to adopt proactive strategies in defense against evolving ransomware threats.

3 a aaS abuse access account Act advanced advanced security advanced security measures AI analysis analysis techniques and anti app Aria as assessment assessments at ated attack attack method attack methodologies attack techniques attacks Bi by C chaos ransomware CI CIA Cisco Cisco Talos CleaR co command cyber cybersecurit Cybersecurity cybersecurity landscape D data data exfiltration data leak data leaks DDoS DDoS attack DDoS attacks de defense demand depth detection DoS DoS attack DoS attacks Double double extortion e encryption end endpoint endpoint detection Engineer engineering environment evolving threats execution exfiltration extortion extortion tactics file for g Gen git Group H HR http HTTPS in incident incident response India information infrastructure initial access instrumentation Intel intelligence io Iron k Key l Lance land led Li lm M man management management tools measures methodologies mitigation mitigation efforts multi N Narrativ new no o of on only operation operations Operator opt organization organizations oS oS attack oS attacks OSINT out over PAM per phi phishing point post Power PowerShell pre pro proactive procedures professionals ps Q R RaaS ransom ransom demand ransom demands ransomware ransomware attack ransomware attacks ransomware group ransomware threats Ransomware-as-a-Service rate RCE re real recommendations reconnaissance recovery remote remote management tools response Risk Risk Assessment risk assessments Ro RoT s sec sector security security landscape security measure security measures security professionals security recommendations security solutions service Service (RaaS) SHA sharing Sig size sizes SoC social social engineering social engineering tactics software solutions sophistication source spam specific speed SSE strategies Strategy T tactics Talos tech techniques ted text the threat threats to tool tools Tor TP trie U.S. UK up US use utilization V victims vigilance voice voice phishing Ware Wi Wind Windows x z