Sign up to save your podcasts
Or
Share Inside Chaos: The New Face of Ransomware
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
Inside Chaos: The New Face of Ransomware
"Send me a quick text"
Chaos is a new ransomware group making its mark with aggressive campaigns and calculated pressure on victims. What appears to be a fresh name is, in fact, a continuation of familiar strategies, designed to confuse analysts and buy the attackers more time.
In this episode, we break down how Chaos positions itself in the ransomware landscape, why its approach is so disruptive, and what defenders can learn from the group’s focus on leverage, pressure, and rebranding. The story highlights the broader trend of ransomware operations evolving their identity while keeping proven methods intact.
Defensive priorities
- Restrict or gate Quick Assist usage, and require verification for any phone-based IT requests.
- Monitor for new or unsanctioned installations of AnyDesk, ScreenConnect, Splashtop, or OptiTune.
- Detect GoodSync activity or executables presenting as wininit.exe that transfer files to external storage.
- Hunt for SSH over port 443 that uses no known_hosts entries and skips host key verification.
- Alert on registry changes that hide accounts, removal of PowerShell logs, and shadow copy deletion.
- Flag files carrying the chaos file extension and ransom notes named readme.chaos.txt.
Selected IOCs and tools
- Reverse tunnel host: 45.61.134.36 on port 443
- Encrypted extension: the chaos file extension
- Ransom note: readme.chaos.txt
- Abused tools: Quick Assist, Impacket, GoodSync, AnyDesk, ScreenConnect, Splashtop
Detection should emphasize unusual RDP, SMB, and WMI activity, signs of Impacket usage, and credential harvesting behaviors consistent with Kerberoasting. Strong MFA enforcement and continuous endpoint monitoring remain essential.
Thanks for spending a few minutes on the CyberBrief Project.
If you want to dive deeper or catch up on past episodes, head over to cyberbriefproject.buzzsprout.com.
You can also find the podcast on YouTube at youtube.com/@CyberBriefProject — I’d love to see you there.
And if you find these episodes valuable and want to support the project, you can do that here: buzzsprout.com/support
Your support means a lot.
See you in the next one, and thank you for listening.
View all episodes
By Meni Tasa"Send me a quick text"
Chaos is a new ransomware group making its mark with aggressive campaigns and calculated pressure on victims. What appears to be a fresh name is, in fact, a continuation of familiar strategies, designed to confuse analysts and buy the attackers more time.
In this episode, we break down how Chaos positions itself in the ransomware landscape, why its approach is so disruptive, and what defenders can learn from the group’s focus on leverage, pressure, and rebranding. The story highlights the broader trend of ransomware operations evolving their identity while keeping proven methods intact.
Defensive priorities
- Restrict or gate Quick Assist usage, and require verification for any phone-based IT requests.
- Monitor for new or unsanctioned installations of AnyDesk, ScreenConnect, Splashtop, or OptiTune.
- Detect GoodSync activity or executables presenting as wininit.exe that transfer files to external storage.
- Hunt for SSH over port 443 that uses no known_hosts entries and skips host key verification.
- Alert on registry changes that hide accounts, removal of PowerShell logs, and shadow copy deletion.
- Flag files carrying the chaos file extension and ransom notes named readme.chaos.txt.
Selected IOCs and tools
- Reverse tunnel host: 45.61.134.36 on port 443
- Encrypted extension: the chaos file extension
- Ransom note: readme.chaos.txt
- Abused tools: Quick Assist, Impacket, GoodSync, AnyDesk, ScreenConnect, Splashtop
Detection should emphasize unusual RDP, SMB, and WMI activity, signs of Impacket usage, and credential harvesting behaviors consistent with Kerberoasting. Strong MFA enforcement and continuous endpoint monitoring remain essential.
Thanks for spending a few minutes on the CyberBrief Project.
If you want to dive deeper or catch up on past episodes, head over to cyberbriefproject.buzzsprout.com.
You can also find the podcast on YouTube at youtube.com/@CyberBriefProject — I’d love to see you there.
And if you find these episodes valuable and want to support the project, you can do that here: buzzsprout.com/support
Your support means a lot.
See you in the next one, and thank you for listening.