A newly discovered ransomware group, dubbed Chaos, has launched a sophisticated campaign employing Ransomware-as-a-Service (RaaS), leveraging social engineering techniques for initial access. The group is actively targeting high-value enterprises in double extortion attacks, threatening not only data encryption but also data leaks and Distributed Denial of Service (DDoS) attacks unless ransom demands are met.

Key Characteristics of Chaos Ransomware

Chaos ransomware stands out due to its:

• Cross-platform capability, targeting Windows, Linux, ESXi, and NAS systems

• Selective and rapid file encryption

• Anti-analysis and evasion techniques

• Ability to compromise both local and networked resources

• Data exfiltration via legitimate tools

This level of sophistication reflects an evolution from known ransomware strains such as BlackSuit and Royal, with a renewed focus on stealth, persistence, and operational control.

Attack Lifecycle

The attack follows a detailed and calculated series of steps:

Initial Access

The attackers initiate contact via spam emails, followed by vishing (voice phishing). Victims are tricked into granting remote access using Microsoft Quick Assist, allowing the threat actor to enter the system without raising suspicion.

Discovery

Once inside, the adversary uses native Windows commands to conduct network reconnaissance — identifying domain trust relationships, user accounts, and system configurations.

Execution

Malicious PowerShell and WMI commands are executed to stage the environment. This includes downloading malware and establishing a connection with the group’s command-and-control (C2) infrastructure.

Persistence

Persistence is achieved by installing Remote Monitoring and Management (RMM) tools like AnyDesk and modifying registry settings to hide malicious user accounts.

Credential Access

Credentials are harvested using LDAP queries, with a strong likelihood of Kerberoasting to escalate privileges by capturing service account tokens.

Privilege Escalation

The group employs token impersonation and process injection techniques to bypass file access controls and elevate their privileges.

Defence Evasion

To avoid detection, the attackers delete PowerShell logs, uninstall MFA tools and security applications, and use anti-analysis techniques to disable endpoint protection.

Lateral Movement

Once a foothold is established, Chaos actors move laterally across the network via RDP, SMB shares, SSH tunnels, and Impacket-based WMI executions.

Exfiltration

Sensitive files are exfiltrated using GoodSync, which is disguised to appear as a legitimate Windows process. Only specific file types are filtered and extracted.

Command & Control (C2)

A reverse SSH tunnel over port 443 is set up for secure, encrypted communications with the C2 server, evading most traditional network defences.

The Impact

Finally, the ransomware encrypts data using the “.chaos” extension, followed by the deletion of shadow copies to prevent system recovery.

Indicators of Compromise (IOCs)

Security teams are advised to monitor for:

• Installation of AnyDesk and similar RMM tools

• Unusual use of Quick Assist or PowerShell

• Outbound SSH connections on port 443

• Files encrypted with the “.chaos” extension

• Usage of GoodSync in unexpected locations or contexts

• Altered registry keys and new hidden user accounts

This campaign is yet another reminder of how social engineering, when paired with advanced technical execution, continues to be a formidable threat vector. Organisations must double down on employee awareness, multi-layered security controls, and continuous threat monitoring to reduce the risk of compromise.

‍