Emergence of Ransomware Group Chaos Following BlackSuit's Demise

In the wake of a significant international law enforcement operation that dismantled the notorious ransomware group BlackSuit, a new player has swiftly emerged in the cybercrime arena: a group known as Chaos. This transition underscores a persistent pattern in the battle against cybercriminals, where the fall of one group often leads to the rapid rise of another.

The name Chaos is derived from the distinctive .chaos file extension used by their ransomware, as well as the naming convention of their ransom notes, which are titled 'readme.chaos[.]txt.' According to research conducted by Cisco's Talos Security Group, Chaos has been operational since February 2025 and has engaged in what is termed 'big-game hunting.' This strategy involves targeting larger organizations with the intent of extracting substantial ransom payments. Predominantly, their victims have been located in the United States, although attacks have also been reported in the United Kingdom, New Zealand, and India, with ransom demands recently observed at approximately $300,000.

Victims who comply with the ransom requests are promised not only a decryptor for their files but also a detailed report identifying vulnerabilities discovered within their networks. Furthermore, Chaos commits to deleting any data they have obtained during the attack. Conversely, those who refuse to pay risk permanent data loss, public disclosure of sensitive information, and the threat of distributed denial-of-service (DDoS) attacks.

This alarming news follows the takedown of BlackSuit's dark web presence during a coordinated operation known as Operation CheckMate. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) reported that BlackSuit had solicited over $500 million in ransom payments throughout its operational period.

Research from Talos suggests that Chaos may either be a rebranded version of BlackSuit or a new entity formed by its former members. This assessment arises from observed similarities in encryption techniques, the structure of ransom notes, and the remote management tools employed in attacks. In addition, Chaos has utilized 'LOLbins'--legitimate executable files found in Windows environments--to facilitate their attacks. These tools allow attackers to navigate and exploit the target environment without raising immediate suspicions.

On the same day that Talos released its findings, the website associated with BlackSuit displayed a message indicating its seizure as part of Operation CheckMate. This operation saw collaboration among various law enforcement agencies, including the U.S. Departments of Justice and Homeland Security, the U.S. Secret Service, the Dutch National Police, the German State Criminal Police Office, the UK National Crime Agency, and Europol.

Chaos typically initiates its attacks through social engineering tactics, often employing phishing via email or voice communication to gain the trust of potential victims. In many cases, they manipulate individuals into connecting with what appears to be an IT security representative, who is, in fact, a member of the ransomware group. By instructing victims to use Microsoft Quick Assist--a remote assistance tool--Chaos can gain access to their systems and carry out their malicious activities.

Interestingly, BlackSuit itself was a rebranding of a previous ransomware operation known as Royal, which has ties to the Conti ransomware group. This cyclical nature of ransomware entities illustrates the ongoing challenge faced by cybersecurity professionals and law enforcement in combating cybercrime.