The Evolution of Chaos Ransomware: Faster, Smarter, and More Dangerous
Essential information
- Published
- 09/10/2025 03:41
- Modified
- 09/10/2025 14:31
- Tags
- 2025-10-09 blacksnake cryptocurrency theft lucky_gh0$t ransomware
- Related entities
- 9 observables, 1 intrusion sets (apt), 13 techniques (mitre), 4 malware
Description
Chaos ransomware has evolved with a new C++ variant in 2025, marking a significant shift from its .NET origins. This new version combines destructive encryption, clipboard hijacking for cryptocurrency theft, and speed-focused attack strategies. It employs a sophisticated downloader masquerading as a system optimizer, uses AES-256-CFB or XOR encryption, and deletes content of large files instead of encrypting them. The ransomware also implements clipboard hijacking to redirect Bitcoin transactions. Its file traversal strategy has evolved, balancing between efficiency and destructiveness. This evolution demonstrates Chaos's transition towards more aggressive and multifaceted threat tactics, aimed at maximizing financial gain while potentially reducing recovery possibilities for victims.