Chaos Ransomware
Chaos Ransomware is a ransomware family and ransomware-as-a-service (RaaS) operation referenced in 2025 reporting. The malware is described as having evolved to a C++ implementation and using destructive extortion tactics, including deleting large files. Reporting also states that it hijacks the Bitcoin clipboard, indicating an additional cryptocurrency theft capability. Separate reporting describes Chaos Ransomware as a new RaaS group likely linked to former BlackSuit operators and using vishing and double-extortion tactics. Law-enforcement-related reporting further notes that the FBI seized 20 BTC from a Chaos Ransomware affiliate that targeted Texas firms. High-confidence details in the provided content are limited; no specific technical indicators, file hashes, ransom note names, or detailed infection-chain artifacts for the ransomware itself are provided.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Techniques & procedures
15 distinct techniques documented for this family, organized by ATT&CK tactic.
Reconnaissance
1 technique
Reconnaissance
Execution
1 technique
Execution
This activity can be significant as ".URL" files can be used as mean to trick the user into visiting certain websites unknowingly, or when placed in certain locations such as "\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\", it may allow the execution of malicious code upon system reboot.
Persistence
2 techniques
Persistence
Privilege Escalation
1 technique
Privilege Escalation
Stealth
3 techniques
Stealth
Defense Impairment
1 technique
Defense Impairment
Discovery
2 techniques
Discovery
Lateral Movement
1 technique
Lateral Movement
Collection
1 technique
Collection
Exfiltration
2 techniques
Exfiltration
After an undisclosed amount of time, the hackers sent multiple emails to employees of the company threatening to leak stolen data if a ransom was not paid. The extortion process was clumsy but the hackers later published stolen data that the company confirmed is legitimate, according to the researchers.
Impact
4 techniques
Impact
Chaos Ransomware Evolves to C++, Uses Destructive Extortion to Delete Large Files and Hijack Bitcoin Clipboard
Chaos Ransomware: New RaaS Group (Likely Former BlackSuit) Unleashes Vishing & Double Extortion
IOCs tracked for this family
12 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Referenced only as related reading; no operational connection to ChaosBot is established in the content.
A ransomware family referenced as an associated analytic story.
Ransomware family described as evolving to C++ and using destructive extortion techniques, including deleting large files and hijacking the Bitcoin clipboard.
Ransomware targeting organizations in Texas, with law enforcement seizing cryptocurrency from an affiliate.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.