- New Ransomware-as-a-service group Chaos linked to former BlackSuit members after law enforcement actions.
- Chaos uses phishing, remote tools, and rapid encryption in attacks primarily targeting U.S. organizations.
- Victims face ransom demands of $300,000 for data recovery and breach reports.
- U.S. authorities recently seized cryptocurrency valued at over $2.4 million from a Chaos group member.
- Ransomware attacks dropped 43% in Q2 2025, but new groups and advanced tactics continue to emerge.
A new ransomware-as-a-service (RaaS) group, Chaos, has entered the cybercrime scene in February 2025, with evidence linking it to former BlackSuit operators following the takedown of BlackSuit‘s infrastructure by law enforcement. The group has launched attacks mainly against victims in the United States, demanding ransoms of $300,000 for decryptors and breach details.
According to researchers at Cisco Talos, Chaos actors combine phishing emails and voice-based social engineering to trick victims into installing remote desktop tools like Microsoft Quick Assist. After gaining access, attackers deploy additional remote monitoring and management (RMM) tools such as AnyDesk, ScreenConnect, OptiTune, Syncro RMM, and Splashtop to maintain a foothold and steal data.
The ransomware rapidly encrypts files across Windows, ESXi, Linux, and NAS systems. “The ransomware utilizes multi-threaded rapid selective encryption, anti-analysis techniques, and targets both local and network resources, maximizing impact while hindering detection and recovery,” Cisco Talos reported. Attackers exfiltrate data using file-sharing software and attempt to erase evidence by deleting event logs and security tools, according to the researchers.
The new Chaos group is not related to builder variants like Yashma or Lucky_Gh0$t, despite the similar name. The operation reflects a pattern, with the attackers’ tactics, ransom notes, and tool selection closely mirroring those of BlackSuit, which itself was a rebrand of the Royal group—tracing its lineage back to Conti. The shift follows a law enforcement seizure announced as part of Operation Checkmate, targeting BlackSuit‘s dark web sites. No official statement has been released about the takedown.
Recently, the U.S. Federal Bureau of Investigation (FBI) and Department of Justice (DoJ) seized 20.2891382 BTC—valued at over $2.4 million—from a cryptocurrency wallet linked to a Chaos member, known as Hors. The ransomware landscape is seeing similar new entrants like Backups, Bert, BlackFL, BQTLOCK, Gunra, Jackalock, Moscovium, RedFox, and Sinobi. For example, Gunra, reportedly based on Conti, has claimed 13 victims since April 2025.
Other ransomware variants are using techniques such as DLL side-loading and fake CAPTCHA lures to distribute Malware like NailaoLocker and Epsilon Red. Reports also show ransomware attacks decreased by 43% in the second quarter of 2025, dropping from 2,074 to 1,180 incidents. Qilin led attack activity, followed by Akira, Play, SafePay, and Lynx.
Despite this drop, experts caution that rebranding and advanced social engineering are enabling ransomware groups to remain active and evolve. For more details, see the reports by Cisco Talos, NCC Group, and CYFIRMA (source, Ransomware.live, CYFIRMA).
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- Chainlink Q2 2025: Accelerating Trade Settlement for Markets
- Iron Ore Prices Jump Above $103 on Trade Truce, Steel Demand Hopes
- HKMA Requires Stablecoin Issuers to Identify All Holders Under New Rules
- I Found a 2022 Bitcoin Prediction That Scared Me Silent – Here’s Why I’m All In Now
- CoinDCX Denies Reports of Coinbase Acquisition Negotiations
