Photo by Christina @ wocintechchat.com on Unsplash
A global task force took down the BlackSuit ransomware group. But just weeks later, a new threat called Chaos has already stepped in—and it’s looking a lot like déjà vu for cybersecurity experts.
Here’s what’s happening.
A Takedown, Then a Comeback
Not long after Operation CheckMate—a joint international law enforcement effort—seized BlackSuit’s dark web site, security researchers spotted a new ransomware group making waves. It’s called Chaos. And while the name has a dramatic flair, the tactics are all too familiar.
According to a report from Cisco Talos, Chaos likely involves some of the same members who were behind BlackSuit. The tools, techniques, and even the ransom notes carry a clear family resemblance.
Photo by Michael Geiger on Unsplash
Chaos made its first appearance back in February and has already been linked to “big-game hunting” style attacks—aggressive, targeted hacks designed to squeeze large ransoms from big organizations.
So far, the group has mainly gone after organizations in the U.S., with some activity in the UK, New Zealand, and India. One recent attack included a ransom demand of around $300,000.
So How Does Chaos Work?
Chaos uses a mix of tech and trickery to break into networks. Here’s the usual playbook:
- It starts with some form of social engineering—often email or voice phishing.
- Victims are tricked into reaching out to what they think is a cybersecurity pro.
- This “expert” then guides the victim through opening Microsoft Quick Assist, a built-in Windows remote-assist tool.
- Once the connection is made, Chaos gets full access to the system.
Files are locked with a .chaos extension. Victims receive a ransom note named “readme.chaos[.]txt.” Pay up, and the group promises to unlock the data, share a vulnerability report, and delete anything they stole. Don’t pay? Victims face data leaks, system damage, and DDoS attacks.
Wait, Who’s Who Again?
Let’s break it down:
- Chaos is likely a rebrand or offshoot of BlackSuit.
- BlackSuit itself was a makeover of Royal ransomware.
- And Royal? That group was formed when members splintered off from the Conti ransomware gang.
It’s like tracking a villain through multiple disguises—a constant cat-and-mouse game where the names change, but the threat stays the same.
The Power of LOLbins
One tactic that stands out with Chaos is its use of LOLbins—short for “living off the land” binaries. These are tools already built into Windows systems. Instead of using flashy malware, Chaos hijacks these legit tools to do the dirty work. It’s stealthy and hard to stop.
Will It Ever End?
The takedown of BlackSuit showed that international law enforcement can hit ransomware groups where it hurts. Agencies from the U.S., UK, Germany, the Netherlands, Ukraine, and Europol all played a role in Operation CheckMate.
Photo by Jeff Hardi on Unsplash
But the quick rise of Chaos shows how fast attackers can regroup.
Each time a gang disappears, another often pops up using the same tactics and personnel. As Cisco’s Talos researchers point out, the similarities across these groups are too strong to ignore.
Why It Matters
If your organization thinks a takedown like Operation CheckMate means the threat is gone, think again. Cybercriminals don’t just quit. They rebrand, reboot, and go right back to scanning for vulnerabilities.
Staying aware of how groups like Chaos operate—especially their use of social engineering and built-in Windows tools—is key to defending against them.
Constant vigilance, patching, and employee training are still the frontline defenses.
And next time you get a call from “tech support” asking to open Quick Assist? Think twice.
Keywords: Chaos ransomware, BlackSuit takedown, Operation CheckMate, ransomware attack methods, Microsoft Quick Assist, social engineering, LOLbins, cybersecurity trend
