A new ransomware group called Chaos has recently launched a series of cyberattacks, raising serious concerns among cybersecurity experts. This group was first identified around February 2025, and investigators believe it is made up of former members of the BlackSuit or Royal ransomware gangs. The attackers are using a mix of old and new techniques to carry out their campaigns.
Chaos operates as a ransomware-as-a-service (RaaS) platform. This means they allow other criminals to use their ransomware tools in exchange for a portion of the ransom profits. These types of platforms make it easier for less-skilled attackers to launch damaging ransomware campaigns using professionally developed tools and infrastructure.
This ransomware group is using well-known tactics such as double extortion, where they steal data before encrypting it, then threaten to release that data if the victim does not pay. They are also following a big-game hunting strategy by targeting large organizations with the ability to pay significant ransom amounts.
Chaos ransomware is dangerous because it is capable of attacking multiple systems, including Windows, Linux, ESXi virtual machines, and NAS storage devices. This wide range of compatibility increases the threat level for organizations using a variety of technologies across their networks.
Once a system is infected, Chaos encrypts files very quickly using multi-threaded encryption. This allows it to affect many files at once and cause significant disruption. Encrypted files are renamed with a “.chaos” extension, and a ransom note titled “readme.chaos.txt” is dropped into each affected directory.
Victims are told to visit a unique Tor website to begin negotiations with the attackers. The Chaos group typically demands around $300,000, promising to provide a decryption tool and a report outlining how the system was breached. If payment is not made, they threaten to leak stolen data, launch DDoS attacks, and publicly damage the victim’s reputation.
Security researchers have clarified that this Chaos ransomware has no relation to the older Chaos malware builder. The name similarity has caused confusion, but this newly emerged group is different and far more advanced. Their tools and methods reflect the work of experienced developers and former members of other high-profile ransomware gangs.
Chaos has already been involved in multiple attacks across the United States, the United Kingdom, New Zealand, and India. The group does not appear to focus on a specific industry or sector. Instead, it looks for vulnerable systems across various fields, making it a widespread and unpredictable threat.
One of the most serious incidents so far involved a U.S.-based company that provides IT services to Optima Tax Relief. In this case, the Chaos group claimed responsibility for leaking over 69 gigabytes of sensitive customer data, including private and financial records. This event highlights the real-world impact of the group’s operations.
To protect against Chaos ransomware, security experts recommend regular data backups, patching systems, and using multi-factor authentication. Disabling unnecessary remote access tools and training employees to recognize phishing threats can also reduce the risk of infection. As Chaos continues to grow, early detection and strong security practices are more important than ever.
Stay alert, and keep your security measures updated!
Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news
