A new cybersecurity threat known as Chaos has emerged as a ransomware-as-a-service (RaaS) group conducting big-game hunting and double extortion attacks. This group, which emerged as early as February 2025, targets a wide variety of business verticals without focusing on any specific sector.
The Chaos ransomware is distinct and unrelated to previous Chaos builder-generated variants, using the same name possibly to create confusion. Researchers assess with moderate confidence that the new Chaos group is likely formed by former members of the BlackSuit (Royal) gang, based on similarities in encryption methodology, ransom note structure, and the toolset used. The group actively promotes its software on Russian-speaking dark web forums, seeking affiliates.
Chaos's attack tactics begin with low-effort spam flooding, which escalates to voice-based social engineering to gain access. Once inside, they abuse remote management and monitoring (RMM) tools for persistent connection and use legitimate file-sharing software for data exfiltration. The ransomware itself is designed for maximum impact, featuring multi-threaded, rapid selective encryption, anti-analysis techniques, and the ability to encrypt files across both local and network resources. After encryption, files are renamed with a ".chaos" extension, and a ransom note named "readme.chaostxt" is dropped.
Unlike some groups, the Chaos ransom note does not include an initial ransom demand, instead instructing victims to make contact via a victim-specific onion URL. The group also runs a data leak site to disclose stolen information from non-paying victims. Victims have been predominantly located in the U.S., with fewer in the UK, New Zealand, and India.
The evolution of the Chaos ransomware builder, which is unrelated to this new group, is also noteworthy. Early versions surfacing in mid-2021 acted more as a destructive wiper than true ransomware, deleting files instead of encrypting them. Over time, it evolved to include actual AES/RSA encryption for smaller files and eventually developed into a more refined variant called Yashma Ransomware. This builder lowered the barrier to entry for novice cybercriminals, allowing them to craft custom ransomware campaigns with a few clicks.