Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to malware
MalwareRansomware

Chaos Ransomware

Chaos Ransomware is a ransomware family and ransomware-as-a-service (RaaS) operation referenced in 2025 reporting. The malware is described as having evolved to a C++ implementation and using destructive extortion tactics, including deleting large files. Reporting also states that it hijacks the Bitcoin clipboard, indicating an additional cryptocurrency theft capability. Separate reporting describes Chaos Ransomware as a new RaaS group likely linked to former BlackSuit operators and using vishing and double-extortion tactics. Law-enforcement-related reporting further notes that the FBI seized 20 BTC from a Chaos Ransomware affiliate that targeted Texas firms. High-confidence details in the provided content are limited; no specific technical indicators, file hashes, ransom note names, or detailed infection-chain artifacts for the ransomware itself are provided.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

MITRE ATT&CK

Techniques & procedures

15 distinct techniques documented for this family, organized by ATT&CK tactic.

Reconnaissance

1 technique
T1598.004Spearphishing VoiceEvidence1

Chaos Ransomware: New RaaS Group (Likely Former BlackSuit) Unleashes Vishing & Double Extortion

Execution

1 technique
T1204.002Malicious FileEvidence1

This activity can be significant as ".URL" files can be used as mean to trick the user into visiting certain websites unknowingly, or when placed in certain locations such as "\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\", it may allow the execution of malicious code upon system reboot.

Persistence

2 techniques
T1112Modify RegistryEvidence1

including looking for file writes (file encryption and ransomware notes), deleting shadow volume storage, registry key modification, dropping of files in startup folder

T1547.001Registry Run Keys / Startup FolderEvidence1

delay of execution as part of its defense evasion technique, persistence through registry and startup folder

Privilege Escalation

1 technique
T1547.001Registry Run Keys / Startup FolderEvidence1

delay of execution as part of its defense evasion technique, persistence through registry and startup folder

Stealth

3 techniques
T1036MasqueradingEvidence1

Executables Or Script Creation In Temp Path ... T1036

T1497.001System ChecksEvidence1

This ransomware is capable to check that only one copy of itself is running on the targeted host

T1497.003Time Based ChecksEvidence1

This ransomware is capable to check that only one copy of itself is running on the targeted host, delay of execution as part of its defense evasion technique

Defense Impairment

1 technique
T1112Modify RegistryEvidence1

including looking for file writes (file encryption and ransomware notes), deleting shadow volume storage, registry key modification, dropping of files in startup folder

Discovery

2 techniques
T1497.001System ChecksEvidence1

This ransomware is capable to check that only one copy of itself is running on the targeted host

T1497.003Time Based ChecksEvidence1

This ransomware is capable to check that only one copy of itself is running on the targeted host, delay of execution as part of its defense evasion technique

Lateral Movement

1 technique
T1570Lateral Tool TransferEvidence1

drop a copy of itself in each root drive of the targeted host and also in %appdata% folder

Collection

1 technique
T1115Clipboard DataEvidence1

Chaos Ransomware Evolves to C++, Uses Destructive Extortion to Delete Large Files and Hijack Bitcoin Clipboard

Exfiltration

2 techniques
T1537Transfer Data to Cloud AccountEvidence1

After an undisclosed amount of time, the hackers sent multiple emails to employees of the company threatening to leak stolen data if a ransom was not paid. The extortion process was clumsy but the hackers later published stolen data that the company confirmed is legitimate, according to the researchers.

T1567Exfiltration Over Web ServiceEvidence1

After an undisclosed amount of time, the hackers sent multiple emails to employees of the company threatening to leak stolen data if a ransom was not paid... the hackers later published stolen data that the company confirmed is legitimate.

Impact

4 techniques
T1485Data DestructionEvidence1

Chaos Ransomware Evolves to C++, Uses Destructive Extortion to Delete Large Files and Hijack Bitcoin Clipboard

T1486Data Encrypted for ImpactEvidence4

Chaos Ransomware: New RaaS Group (Likely Former BlackSuit) Unleashes Vishing & Double Extortion

T1490Inhibit System RecoveryEvidence1

including looking for file writes (file encryption and ransomware notes), deleting shadow volume storage

T1657Financial TheftEvidence2

Chaos Ransomware: New RaaS Group (Likely Former BlackSuit) Unleashes Vishing & Double Extortion

INDICATORS OF COMPROMISE

IOCs tracked for this family

12 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app
Network
3 tracked

IPs, domains, and DNS infrastructure linked to this family.

Hashes
9 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

TypeValueLatest sighting
domain●●●●●●●●●●●●View more in app2 months ago
ip.v4●●●●●●●●●●●●View more in app2 months ago
ip.v4●●●●●●●●●●●●View more in app2 months ago
hash.sha256●●●●●●●●●●●●View more in app9 months ago
hash.sha256●●●●●●●●●●●●View more in app9 months ago
hash.sha256●●●●●●●●●●●●View more in app9 months ago
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
IOC matching12

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping15

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.