Anatomy of an Attack:

Executive Summary

The ransomware market has shifted more frequently to a triple extortion model, stacking real-time service disruption on top of traditional data theft and system encryption. To illustrate this activity, we are taking a look at research from Cisco Talos regarding the emergence of the Chaos threat actors in 2025. The group was formed by a reorganization of members from the BlackSuit ransomware group following a major international crackdown on July 24, 2025, when the Department of Justice successfully seized BlackSuit’s operations. Rather than disbanding, the group’s core members pivoted to this new identity to continue their campaigns using more aggressive extortion tactics.

Chaos initially used a double extortion model. They steal sensitive data before they start the encryption process. This gives the threat actors leverage even if a victim can restore their systems from backups. By stealing data first, they ensure they can still threaten the victim with a public leak.

According to Recorded Future, Chaos has expanded its toolkit to include Distributed Denial-of-Service (DDoS) attacks. This points to the creation of a triple extortion model. In this scenario, Chaos uses DDoS to crash a victim’s infrastructure. This adds a third layer of pressure to stop business operations in real time. These tactics are meant to force a quick payment by paralyzing the victim’s ability to communicate or function.

Per the HackerNews, the ransomware group is unrelated to the Chaos ransomware builder variants such as Yashma and Lucky_Gh0$t, indicating that the threat actors may be using the same name to sow confusion.

ExtraHop has covered BlackSuit over time, and published RevealX vs. BlackSuit Ransomware on August 1, 2024. 

Virtualization Layer - Hypervisor Interaction

Blacksuit operators demonstrated a sophisticated understanding of data center architecture by targeting VMware ESXi servers. Unlike standard malware targeting workstations, we believe their successor organization Chaos utilizes a specialized Linux-based variant to seek out the hypervisor management interface. Once the actors gain access to the ESXi shell, they employ the esxcli command-line utility to terminate virtual processes (MITRE ATT&CK T1489).

By using the specific -killvm parameter, the malware kills running virtual machines to ensure virtual disks are unlocked for encryption. By attacking the hypervisor, Blacksuit would then bypass traditional security agents that reside only within guest virtual machines. This creates a critical blind spot where the attack happens beneath the visibility of standard endpoint tools. RevealX addresses this by monitoring management traffic to ESXi hosts, detecting the surge in esxcli commands and unusual file reconfiguration events that signal an infrastructure attack.

Identity Fabric: Administrative Credential Access

The campaign, as documented from the historic activities of Blacksuit, and the expected execution of the same threat actors rebranded as Chaos, prioritized the compromise of core identity systems (domain controllers) to maintain total control of the environment. Once initial access is achieved through unpatched edge devices (MITRE ATT&CK T1190) or compromised Remote Desktop Protocol (RDP) sessions (MITRE ATT&CK T1021.001), the actors deploy tools like Mimikatz to harvest Active Directory credentials from memory (MITRE ATT&CK T1003.001).

These high-level credentials allow attackers to perform administrative tasks, such as modifying Group Policy Objects (GPOs), to deactivate security software across the entire domain (MITRE ATT&CK T1562.001). In advanced campaigns, operators perform AS-REP Roasting and Kerberoasting against Domain Controllers to capture password hashes for offline cracking (MITRE ATT&CK T1558.003). RevealX identifies this by decrypting Kerberos and LDAP traffic to unmask ticket forgery and unusual directory requests that precede a domain-wide lockout.

The Intrusion Lifecycle: From Foothold to Encryption

The deployment begins with a multi-stage intrusion. BlackSuit typically secures an Initial Foothold by exploiting unpatched edge devices, hijacking compromised RDP sessions, or executing phishing campaigns.

Once inside, the actors transition to Living off the Land (LotL) techniques. Rather than deploying noisy custom malware immediately, they use legitimate utilities like PowerShell and PsExec to navigate the network and escalate privileges. Once administrative control is secured, often targeting the Domain Controller, the actors then deploy BlackSuit Encryptor.

The BlackSuit Encryptor is a sophisticated custom-built RaaS malware that requires manual Payload Transfer. Attackers use established administrative channels, such as SMB or PsExec, to push the encryptor across the domain. After the executable is staged on target systems, it is triggered remotely to begin the encryption process simultaneously across the enterprise.

The encryption process uses an intermittent strategy, scrambling only portions of files to maximize speed while evading behavioral detection (MITRE ATT&CK T1486).

To ensure long-term access, the BlackSuit malware utilizes a specific -delete parameter that triggers a batch script loop. This script monitors for the presence of the ransomware executable. If an administrator deletes the file, the script attempts to restore or re-execute the process (MITRE ATT&CK T1547.001). By masquerading as legitimate processes, like explorer.exe or svchost.exe, the malware remains embedded after system reboots. RevealX exposes this persistence by detecting consistent Command and Control (C2) heartbeats and unusual protocol tunneling.

Network Detection: RevealX Capabilities for RaaS

Traditional security tools often struggle to counter RaaS groups like Chaos because they rely on logs or agents that adversaries can bypass or deactivate. ExtraHop RevealX provides a real time view of activity across the entire attack surface without requiring agents. By decrypting and decoding over 90+ protocols, protocols at wire speed, the platform maintains visibility into malicious activity hidden within encrypted traffic.

This capability is critical for uncovering lateral movement toward high value targets like Domain Controllers. While an attacker can turn off a security agent or delete a log, they cannot hide movement across the wire. RevealX turns the network into the ultimate source of truth, catching Chaos during the critical staging phase before data is exfiltrated or encrypted.

Technical Implementation: Detection Alignment

As established in the latest research, these detections are critical for addressing the specific "blind spots" created by Chaos’ infrastructure and identity-based TTPs:

• Unusual Remote Access Activity: Directly addresses MITRE ATT&CK T1021.001 by flagging the initial foothold established via compromised RDP sessions.
• Endpoint Security Modification: Unmasks MITRE ATT&CK T1562.001 when threat actors modify Group Policy Objects (GPOs) to deactivate domain-wide security software.
• Unusual Authentication Activity: Exposes MITRE ATT&CK T1003.001 and MITRE ATT&CK T1558.003 by identifying the misuse of administrative credentials harvested from LSASS memory or via Kerberoasting.

The MITRE ATT&CK techniques cited in this blog are supported by either CISA, Unit 42, or Picus Security as a verified component of earlier BlackSuit activity.

Blacksuit/Chaos TTPs and ExtraHop Detections

Indicators of Compromise (IOCs)

To maintain a strong defensive posture against Chaos, security teams should monitor for the following specific Indicators of Compromise (IOCs). These IOCs are detailed primarily from two sources:

• July 24, 2025 (Cisco Talos): https://blog.talosintelligence.com/new-chaos-ransomware/
• August 11, 2025 (Department of Justice): https://www.justice.gov/opa/pr/justice-department-announces-coordinated-disruption-actions-against-blacksuit-royal which links to additional government publications including the #StopRansomware: Blacksuit Ransomware published on August 27, 2024.

These indicators are based on recognized threat intelligence gathered from observations of the Blacksuit campaigns as well as initial analyses of the evolving Chaos activity.

Host-Based Indicators

• Ransomware Executable: Operators often obfuscate the payload name using legitimate-sounding filenames such as explorer.exe, svchost.exe, or random strings like abc123.exe.
• Ransom Note: The malware drops a file named README.chaos.txt in every affected directory. On Linux or ESXi systems, the filename typically uses lowercase: readme.chaos.txt.
• File Extensions: Encrypted files are appended with the .chaos extension.
• Registry Persistence: Look for unauthorized entries in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run or startup folders that point to the ransomware binary.
• Service Creation: Creation of user-mode services with randomly generated 7-digit alphanumeric names (e.g., 61185c1.exe) running under the LocalSystem account.

Network-Based Indicators

• External Hop Points: Chaos infrastructure frequently routes initial data exfiltration through U.S.-based IP addresses before moving to final C2 destinations.
• Command & Control (C2): Look for beaconing traffic to known Cobalt Strike infrastructure or legitimate cloud proxies (e.g., Cloudflare) used to mask team servers.
• Protocol Tunneling: Unusual interactive traffic over standard ports using tools like Chisel or SystemBC.
• Large Data Transfers: Outbound spikes to unauthorized external IP addresses or storage services via rclone or FTP.

Behavioral Indicators

• Hypervisor Hijack: Unauthorized execution of esxcli with the -killvm parameter on ESXi management interfaces.
• Shadow Copy Deletion: Automated execution of the command vssadmin.exe delete shadows /all /quiet to prevent system recovery.
• GPO Modification: Unauthorized changes to Group Policy Objects to disable domain-wide antivirus or EDR agents.
• Authentication Spikes: High-volume Kerberos Ticket Granting Server (TGS) requests for Service Principal Name (SPN) accounts, indicating Kerberoasting activity.

The Case for Network Truth: Eliminating the Blind Spots

Defending against triple extortion requires visibility beyond the reach of standard endpoint tools. These actors operate in the unmanaged blind spots of the data center, specifically targeting virtualization management where security agents cannot run. Defense requires inspecting the actual traffic moving between virtual machines, hypervisors, and identity stores.

RevealX provides the ground truth that attackers cannot delete or modify. While an adversary can disable an endpoint agent or wipe a local event log, they cannot move laterally or exfiltrate data without creating network traffic. By analyzing this traffic in real time, RevealX unmasks the encrypted tunnels and credential harvesting that traditional tools miss. In the fight against Chaos, the network remains the only vantage point that an attacker cannot compromise.

Learn More About ExtraHop

The network tells the story that logs and endpoints miss. If you want to see how this works in practice, there are several ways we can help:

• See it in action: Schedule a call to see how RevealX identifies the TTPs used by sophisticated actors.
• Check your blind spots: We offer a network security assessment to find activity moving sideways through your environment.
• Expert Consultation: Your experts can spend time with ours to discuss decryption or how to handle Living off the Land tactics.

Click HERE to schedule your time with us and learn more about ExtraHop NDR.