Cybersecurity experts have reported the emergence of a new ransomware group named Chaos, which appears to be a rebranding of the recently dismantled BlackSuit ransomware operation. According to Talos, a reference in the cybersecurity community, the similarities between Chaos and BlackSuit indicate a possible connection, either through a rebranding or the involvement of former members of the BlackSuit group. The encryption methods, ransom note structures, and the use of remote monitoring tools used by both groups reinforce this theory.
This revelation comes shortly after a coordinated international effort, dubbed Operation CheckMate, led to the seizure of the BlackSuit’s dark web site. Major law enforcement agencies including the US Department of Justice, the US Department of Homeland Security, and Europol participated in the operation, which signals a significant step in the fight against ransomware operations. The momentum against cybercrime is gaining strength as authorities deepen their investigative strategies.
Chaos typically employs social engineering tactics, utilizing email and voice phishing to gain initial access to targets. Victims are often misled into believing they are connecting with a legitimate IT security representative when in fact they are communicating with a member of the ransomware team. The attacker usually instructs the target to use Microsoft Quick Assist, a legitimate tool built into Windows, to establish a remote connection, facilitating further intrusions into organization’s systems.
Notably, BlackSuit itself was a rebranding of the Royal ransomware operation, which has roots tracing back to the notorious Conti ransomware group, as reported by Trend Micro. This continuous cycle of evolution among ransomware groups indicates that the threat landscape remains turbulent, posing ongoing challenges to cybersecurity professionals and businesses alike.