Ethical Hacking News
A new threat actor has emerged in the ransomware landscape, dubbed Chaos RaaS (Ransomware-as-a-Service). This group is believed to be comprised of former members of the BlackSuit crew and has been linked to similarities in tradecraft employed by the recently seized BlackSuit group. With its advanced evasion and anti-analysis techniques, Chaos RaaS demands $300,000 from U.S. victims in exchange for a decryptor and security recommendations. This new threat actor is just one example of the evolving ransomware landscape, with threats continuing to adapt and evolve as law enforcement efforts combat them.
Cybersecurity threat actors have developed a new, sophisticated ransomware threat called Chaos RaaS (Ransomware-as-a-Service) linked to similarities with the recently seized BlackSuit group. The ransomware attacks use various tactics such as low-effort spam flooding, voice-based social engineering, and RMM tool abuse to gain access and exfiltrate data. The Chaos RaaS group is believed to be comprised of former members of the BlackSuit crew, but uses a different name to sow confusion with other ransomware groups. The attacks typically involve phishing and voice phishing techniques, aiming for $300,000 in ransom demands from victims. Ransomware attacks are adapting to evade detection and recovery, with techniques like DLL side-loading and CAPTCHA lures being used to trick users into downloading malicious files. According to NCC Group, ransomware attacks decreased by 43% in the second quarter of 2025, but new threats remain active, with 86 groups estimated to be active in 2025.
In recent months, the ransomware landscape has witnessed a significant influx of new and sophisticated threats. Among these, the emergence of Chaos RaaS (Ransomware-as-a-Service) stands out as a notable development. This new threat actor has been linked to similarities in tradecraft employed by the recently seized BlackSuit group, highlighting the evolving nature of ransomware attacks.
According to Cisco Talos researchers, Chaos RaaS actors initiated low-effort spam flooding, escalating to voice-based social engineering for access, followed by RMM tool abuse for persistent connection and legitimate file-sharing software for data exfiltration. The ransomware utilizes multi-threaded rapid selective encryption, anti-analysis techniques, and targets both local and network resources, maximizing impact while hindering detection and recovery.
The Chaos RaaS group is believed to be comprised of former members of the BlackSuit crew, with their dark web infrastructure having been seized as part of a joint law enforcement effort called Operation Checkmate. However, it's worth noting that the ransomware group is unrelated to the Chaos ransomware builder variants such as Yashma and Lucky_Gh0$t, indicating that the threat actors are using the same name to sow confusion.
Chaos RaaS has been observed seeking ransoms of $300,000 from victims in exchange for a decryptor and a "detailed penetration overview with main kill chain and security recommendations." The attacks involve a combination of phishing and voice phishing techniques to obtain initial access by tricking victims into installing remote desktop software, particularly Microsoft Quick Assist.
The threat actors subsequently carry out post-compromise discovery and reconnaissance, followed by installing other RMM tools such as AnyDesk, ScreenConnect, OptiTune, Syncro RMM, and Splashtop to establish persistent remote access to the network. Compatible with Windows, ESXi, Linux and NAS systems, Chaos has been observed targeting a majority of its victims in the United States, based on data from Ransomware.live.
Law enforcement efforts have been ongoing to combat ransomware threats, with the U.S. Federal Bureau of Investigation (FBI) and the Department of Justice (DoJ) recently announcing the seizure of 20.2891382 BTC (now valued at over $2.4 million) from a cryptocurrency wallet address associated with a member of the Chaos ransomware group known as Hors. This development underscores the growing importance of collaborative law enforcement efforts in tackling the ever-evolving landscape of ransomware attacks.
Other recent ransomware attacks have demonstrated the adaptability and sophistication of threat actors, with the use of DLL side-loading to drop NailaoLocker and ClickFix-like lures tricking users into downloading malicious HTML Application (HTA) files under the pretext of completing a CAPTCHA verification check. The Epsilon Red ransomware, first identified in 2021, leaves a ransom note on infected computers that bears a resemblance to the REvil ransomware note, albeit with minor grammatical improvements.
According to NCC Group, ransomware attacks in the second quarter of 2025 dropped 43% to 1,180, a decline from 2,074 in Q1 2025. Qilin has become the most active ransomware group during the time period, leading with 151 attacks, followed by Akira at 131, Play at 115, SafePay at 108, and Lynx at 46. In all, a total of 86 new and existing active attack groups are estimated to be active in 2025.
The volume of victims being exposed on ransomware leak sites might be declining, but this doesn't mean threats are reduced. "Law enforcement crackdowns and leaked ransomware source code is possibly a contributing factor as to a drop in activity," said Matt Hull, Global Head of Threat Intelligence at NCC Group. "Ransomware groups are using this opportunity to evolve through rebranding and the use of advanced social engineering tactics."
Related Information:
https://www.ethicalhackingnews.com/articles/The-Emergence-of-Chaos-RaaS-A-New-Threat-Actor-in-the-Ransomware-Landscape-ehn.shtml
https://thehackernews.com/2025/07/chaos-raas-emerges-after-blacksuit.html
Published: Tue Jul 29 10:56:59 2025 by llama3.2 3B Q4_K_M
