Chaos is a rapidly evolving Ransomware-as-a-Service (RaaS) group first observed in early 2025. It is considered distinct and unaffiliated with the Chaos Ransomware Builder that originated around 2021. Known for highly aggressive double-extortion operations, Chaos targets organizations across multiple platforms—Windows, ESXi, Linux, and NAS—with fast, configurable encryption mechanisms and optional partial-file targeting for stealth. Attackers gain access through vulnerabilities, phishing, or brokered credentials, then encrypt files while threatening to leak or destroy stolen data. Notable incidents include the breach of Optima Tax Relief, in which the group exfiltrated 69 GB of sensitive data before encrypting systems.
Genera un perfil del actor con IA (defensivo) cuando lo pidas.
Este grupo no tiene TTPs curadas. Puedes generar un mapeo MITRE ESTIMADO por IA (no confirmado) a partir de su descripción/notas, solo cuando lo pidas.
Para detección/bloqueo en tu EDR/SIEM. Fuente: ransomware.live.
Firma de detección defensiva para este grupo (úsala en tu EDR/SIEM). Fuente: ransomware.live.
rule ransomware_win_chaos {
meta:
id = "c1876a18-0618-44e2-8919-b4a041de97e7"
description = "Detects the Chaos Ransomware"
author = "Sekoia.io"
version = "1.0"
creation_date = "2022-01-18"
classification = "TLP:CLEAR"
strings:
$rep00 = "\\Desktop" wide
$rep01 = "\\Links" wide
$rep02 = "\\Contacts" wide
$rep03 = "\\Documents" wide
$rep04 = "\\Downloads" wide
$rep05 = "\\Pictures" wide
$rep06 = "\\Music" wide
$rep07 = "\\OneDrive" wide
$rep08 = "\\Saved Games" wide
$rep09 = "\\Favorites" wide
$rep10 = "\\Searches" wide
$rep11 = "\\Videos" wide
$rep12 = "C:\\Users\\" wide
$str0 = "svchost.exe" wide
$str1 = "\\privateKey.chaos" wide
$str2 = "Chaos Ransomware" wide
$str3 = "read_it.txt" wide
$str4 = "<EncryptedKey>" wide
$str5 = "passwordBytes" ascii
$str6 = "lookForDirectories" ascii
$str7 = "Rfc2898DeriveBytes" ascii
$str8 = "ICryptoTransform" ascii
$str9 = "FromBase64String" ascii
$ext0 = ".torrent" wide
$ext1 = ".ibank" wide
$ext2 = ".wallet" wide
$ext3 = ".swift" wide
$ext4 = ".onetoc2" wide
condition:
uint16(0) == 0x5a4d and
filesize > 50KB and filesize < 2MB and
6 of ($str*) and 10 of ($rep*) and 4 of ($ext*)
}
Hello, Our name is Chaos, and we would like to inform you about an important issue regarding the security of your systems.We conducted a professional security test, which fortunately was successful. The system's protection failed to function properly, and as a result, all confidential data was downloaded, including financial reports, internal communications, client databases, and other crucial materials that could have a significant impact on your business. This is not just a matter of lost information, but also potential legaland reputational consequences. We fully understand that the leakage of such data could lead to serious issues for your company. However, there is an opportunity to resolve this situation while keeping all information confidentialand preventing further leakage. To achieve this, a few steps need to be taken. We offer a peaceful resolution to the matter, ensuring that all data remains confidential. In exchange for compensation, all issues will be closed, and there will be no consequences for your company. This is the only way to avoid severe problems. To discuss further, please follow the link below with TOR Browser to get in touch with me.There, we can go over the details: [redactado]
Founded in 2001, AireSpring is a Managed Services Provider specializing in Unified Communications, Managed Network, and IT Services, serving thousands of businesses nationwide. AireSpring provides fully managed and connected end-to-end, next-generation solutions for multi-location enterprise custome…
STATUS: PENDING PUBLICATION | TIME REMAINING: 72 HOURS ENTITY: Entrans International (entransinternational.com) THE REALITY OF ENTRANS INTERNATIONAL We have been in possession of your internal data for some time. Throughout this period, we have attempted to engage with your management, but their si…
| Organización | País | Sector | Grupo | Descubierta |
|---|---|---|---|---|
| airespring.com | US | Technology | — | 9 jun 2026 |
| entransinternational.com | US | Business Services | — | 28 may 2026 |
| sterlingindustries.com | US | Manufacturing | — | 27 may 2026 |
| vacaero.com | MX | Hospitality and Tourism | — | 4 may 2026 |
Las direcciones de los sitios de filtración (.onion) se conocen pero no se publican ni se enlazan. Solo se muestran metadatos públicos. ética
STERLING INDUSTRIES: FINAL NOTICE BEFORE FULL RELEASE STATUS: PENDING FINAL PUBLICATION ENTITY: Sterling Industries (sterlingindustries.com) LEAK SIZE: ~503 GB ATTENTION MANAGEMENT We are currently in the final stages of preparing your data for public release. We have provided you with ample time…
If the company's management does not reach an agreement with us within 4 days, we will publish 250 GB of the company's internal data. Founded in 1959, VAC AERO provides vacuum heat treating and thermal & paint coating services as well as vacuum furnace systems and controls to aerospace and high-tec…