New Chaos ransomware group linked to BlackSuit amid site seizures

The BlackSuit ransomware group’s data leak sites and negotiation portals were seized in an international law enforcement operation dubbed Operation Checkmate this week.

The BlackSuit gang, which emerged in 2023, is believed to be tied to the Royal ransomware operation, which itself is suspected to comprise mostly of former members of the now-shuttered Conti ransomware group.

Now, a new generation of this ransomware family may be emerging, as Cisco Talos reported Thursday that a ransomware-as-a-service (RaaS) gang dubbed "Chaos" bears multiple similarities to the BlackSuit operation.

Chaos ransomware first appeared around February 2025, mostly targets U.S. organizations and advertises itself on the Russian cybercrime forum Ransom Anonymous Market Place (RAMP). Cisco Talos noted the group is unrelated to the Chaos ransomware builder, possibly adopting the same name to create confusion for researchers.

Attacks claimed by Chaos include a reported breach of the Salvation Army in May and the alleged theft of 69 GB of data from Optima Tax Relief.

Cisco Talos assessed with moderate confidence that Chaos is either operated by former BlackSuit members or a rebrand of the BlackSuit group itself. This is due to similarities in tactics, techniques and procedures (TTPs) including similar encryption processes, ransom notes and tool use.

One notable similarity is the use of specific encryption configuration parameters in both ransomware strains that, while named differently, share the same purpose.

Chaos calls three of these parameters “lkey,” “encrypt_step” and “kill_vms” while BlackSuit calls them “id,” “ep” and “stopvm,” respectively. In both strains, these parameters provide a 32-byte encryption key, define the portion of files to be encrypted and stop virtual machines from running on the targeted machine.

The ransom notes of the two groups also share a similar structure and include similar references to the failure of the target’s security systems and threats about legal and reputational repercussions. Both groups also direct victims to a .onion link and offer security findings in addition to data recovery if the ransom is paid.  

Both Chaos and BlackSuit target local and network resources for encryption and extraction, and both make use of similar living-off-the-land binaries (LOLbins) and remote monitoring and management (RMM) tools in their attacks, including AnyDesk and ScreenConnect.

While a joint cybersecurity advisory from the Cybersecurity & Infrastructure Security Agency (CISA) on BlackSuit/Royal ransomware notes the group mainly obtains initial access via malware downloads from phishing emails, Cisco Talos found that Chaos often uses voice phishing (vishing) and IT staff impersonation, by first spamming the victim with emails requesting a phone call and then convincing them to provide access via remote assistance software.

Chaos maximizes impact by targeting both local and network assets, uses rapid multi-threaded and partial encryption to accelerate attacks and maintains stealth by evading sandbox environments, attempting to uninstall security tools and avoiding the exfiltration of files that are more likely to trigger detection, such as 7-Zip compressed archives, Microsoft Outlook files and generic database files.  

The emergence of Chaos and seizure of BlackSuit sites take place amid a years-long shakeup in the ransomware ecosystem, including law enforcement disruptions of ALPHV/BlackCat and LockBit last year, the meteoric rise and sudden disappearance of RansomHub, and seizure of the 8base ransomware site and arrests of four of its alleged operators in February.

NCC Group reported this week that global ransomware incidence declined by 43% between the first and second quarters of 2025, with Qilin being the most prolific ransomware group in recent months.