August 1, 2025
By esentry Team

Old Dogs, New Scams

When a wolf changes its fur, it doesn't mean it's given up on the hunt.

There’s a new ransomware-as-a-service (RaaS) player in town called Chaos, and while the name might ring a familiar bell, let’s not get it twisted, this isn’t a remix of the old Chaos malware.

Old Gang, New Branding

It’s like a reboot nobody asked for but somehow, it’s more dangerous. And this isn’t your average copy-paste threat group.

Evidence suggests Chaos might be the evolution of Black Suit:

  • Similar ransom note tone (This was just a security test. Pinky promise. Pay us.”)
       
A screenshot of a computer error

AI-generated content may be incorrect.
  • Identical encryption commands
  • Nearly matching toolkits and behaviors

So don’t be fooled by the name change. Thehouse may look different, but the burglars haven’t switched careers.

Vishing Is the New Phishing

While other ransomware gangs are stillsliding into inboxes, Chaos is making phone calls.

Here’s how they play their game:

·      Targets get spammed withfake IT alerts.

·      They're urged to call afake “tech support” hotline.

·      Once on the line, victimsare manipulated into launching Microsoft Quick Assist, essentiallyopening the front door and inviting the attacker in for coffee.

Smooth, right?

Once inside, Chaos actors install a buffetof Remote Monitoring and Management (RMM) tools like:

  • AnyDesk
  • ScreenConnect
  • OptiTune
  • Syncro RMM
  • Splashtop

Why? Persistence. Control. Comfort.

Recon,Ransom, Repeat

  • Reconnaissance: They run tools like ipconfig, tasklist.exe, and nltest to map the network like it’s a vacation rental.
  • Credential Harvesting: Fancy techniques like Kerbe roasting, and classic password resets via net.exe.
  • Stealthy Persistence: Registry tweaks hide user accounts, and MFA apps are disabled using wmic. You didn’t even know you had guests, did you?

And when they’re ready to drop the hammer?
They run:

bash

CopyEdit

Enc.exe /lkey:"<32-bytekey>" /encrypt_step:40 /work_mode:local_network

Translation: Encrypt everything.Fast, quiet, and lethal.

Files get slapped with a .chaos extension,and a ransom note (readme.chaos.txt) lands on your screen, sweetly calling thisan “IT audit.”

Encryption, Evasion & Extortion

Chaos ransomware uses:

  • Elliptic Curve Diffie-Hellman (ECDH) + AES-256 encryption
  • Multi-threading for rapid file encryption
  • Selective targeting to avoid system-breaking mistakes

And they’re slippery:

  • Avoiding sandboxes and VMs
  • Obfuscating strings
  • XOR-encrypting their config and ransom notes

Basically: they came prepared. They’re nothere to make rookie mistakes or trigger early alarms.

Double Extortion and DDoS Drama

Encrypting your files is just Act 1.

Act 2? Stealing your data.

They use the legit GoodSync backuptool renamed to wininit.exe to exfiltrate files to cloud storage. Large files and uncommon types are filtered out to fly under your security radar.

Whether they call themselves Chaos, BlackSuit, or something shinier next quarter, it’s clear these attackers are leveling up their branding, playbooks, and emotional manipulation.

The attacks are smoother, the storytelling is cleaner, and the stakes. Higher than ever!!!
Remember, every unlocked door is an invitation.

What You Can (and Should) Do Now

Disable Microsoft Quick Assist organization-wide

Block installations of AnyDesk, ScreenConnect, Splashtop, and the likes

Train your employees to spot vishing tactic,especially the “urgent call IT now” messages

Harden your endpoints with EDR/XDR and set traps for suspicious behaviors

Inspect cloud backups

Segment your network, lock down lateral movement, and audit service accounts regularly.