Unmasking the new Chaos RaaS group attacks

Cisco Talos Incident Response (Talos IR) recently observed attacks by Chaos, a relatively new ransomware-as-a-service (RaaS) group conducting big-game hunting and double extortion attacks.

Chaos RaaS actors initiated low-effort spam flooding, escalating to voice-based social engineering for access, followed by RMM tool abuse for persistent connection and legitimate file-sharing software for data exfiltration.

The ransomware utilizes multi-threaded rapid selective encryption, anti-analysis techniques, and targets both local and network resources, maximizing impact while hindering detection and recovery.

Talos believes the new Chaos ransomware is unrelated to previous Chaos builder-generated variants, as the group uses the same name to create confusion.

Talos assesses with moderate confidence that the new group is likely formed by former members of the BlackSuit (Royal) gang, based on similarities in the ransomware’s encryption methodology, ransom note structure, and the toolset used in the attacks.

To read the complete article see: Chaos RaaS article.