The new BlackSuit creates Chaos

In the ever-evolving world of ransomware, one gang falls and another rises. Following the law enforcement takedown of BlackSuit’s infrastructure, a new group has emerged from the shadows. Known as Chaos, this ransomware-as-a-service (RaaS) operation appears to be composed of former BlackSuit members. With refined techniques, selective encryption, and a polished extortion scheme, Chaos is now demanding $300,000 from its U.S.-based victims—hitting hard across sectors with a combination of voice phishing and remote access tools.

Unlike its predecessor, Chaos combines low-friction social engineering with stealthy tooling to gain persistence, exfiltrate data, and cripple systems—all while evading early detection. Its operations mark a significant evolution in the post-BlackSuit threat landscape, signaling that even after a takedown, ransomware crews remain a moving target.

New tuxedo and gloves

Chaos is casting a wide net across the U.S. economy. The group targets mid-size and enterprise-level businesses across various sectors—finance, healthcare, education, manufacturing, and technology. Victims are not selected for niche vulnerabilities, but rather for their exposure to simple human error and outdated remote access practices.

Attackers initiate contact through a mix of phishing emails and vishing calls, impersonating internal IT or helpdesk staff. By presenting legitimate-sounding scenarios and using familiar terminology, they convince targets to install Microsoft Quick Assist or other remote desktop software. This creates the initial bridge into the environment, where Chaos can then begin its full-scale incursion.

Organizations with distributed workforces or remote support channels are particularly vulnerable, as the attackers exploit trust-based workflows and urgent-sounding requests to bypass scrutiny.

White-collar breach

The breach begins with a deceptively simple entry point: a phishing email or phone call from someone claiming to be a technician or co-worker in need of quick access. Using these pretexts, Chaos operators direct victims to install Microsoft Quick Assist or other legitimate tools. Once connected, the attackers rapidly install additional Remote Monitoring and Management (RMM) software such as AnyDesk, ScreenConnect, OptiTune, Syncro, or Splashtop to establish persistent access beyond the initial session.

From there, the group performs detailed internal reconnaissance—mapping the network, identifying critical assets, and harvesting credentials. Logs from PowerShell and existing security tools are wiped to eliminate evidence and delay detection.

Before deploying the ransomware payload, Chaos exfiltrates valuable data using GoodSync, a legitimate file synchronization tool. This enables a double extortion scheme: first encrypting the data, then threatening to leak it. The ransomware binary itself is highly optimized, using multithreading to quickly encrypt both local and network files. The payload includes anti-analysis mechanisms, making it harder for defenders to dissect or sandbox the malware.

Victims are left with a ransom note demanding $300,000 in exchange for a decryption tool and a so-called “penetration test report”—a disturbing twist that frames the attack as a professional service.

Spotting the spotters

While Chaos may operate under a new name, its tactics and tools reflect the collective knowledge of ransomware veterans. Organizations must elevate their defenses beyond simple endpoint protection to combat this type of intrusion.

• Disable and uninstall unused RMM software across the environment.

• Enforce strict controls and identity verification for remote access tools like Quick Assist.

• Train staff to recognize voice phishing tactics and verify any unsolicited IT requests.

• Monitor for usage of GoodSync or any unauthorized file transfer utilities.

• Watch for lateral movement patterns and privilege escalation.

• Harden endpoints against multithreaded encryption and employ behavioral analytics for early ransomware detection.

• Isolate and regularly validate backups to ensure they are both functional and protected from overwrite or deletion.

As Chaos proves, a law enforcement win is not the end—just a pivot point. The playbook remains the same, but the actors, names, and tactics keep evolving. Staying ahead requires not just reactive controls, but proactive preparation and a culture of skepticism in the face of manipulation.

https://thehackernews.com/2025/07/chaos-raas-emerges-after-blacksuit.html?m=1