Skip to content
Ransomware group

Chaos

Chaos is used for ransomware in two separate contexts: a customizable ransomware builder first observed in 2021 and a ransomware-as-a-service operation that appeared in 2025.

Profile source: Ransomware.live opens in a new tab

Chaos

Family profile

Chaos is used for ransomware in two separate contexts: a customizable ransomware builder first observed in 2021 and a ransomware-as-a-service operation that appeared in 2025. This profile excludes the unrelated Linux botnet that shares the Chaos name.

Ransomware.live

Operational record

View group record ↗

Ransomware.live

Published indicators

Full source record ↗

Md5

3 total
  • 160f60dc3fc9920cfc3847de4de2ef09
  • 9113f4b245da32c75d61b467ee89e0b7
  • 87fd821b67a1f329548f222d81a55be7

Sha256

3 total
  • 7c4b465159e1c7dbbe67f0eeb3f58de1caba293999a49843a0818480f05be14e
  • 11cfea4100ba3731d859148d2011c7225d337db22797f7e111c0f2876e986490
  • 1d846592ffcc19ed03a34316520aa31369218a88afa4e17ac547686d0348aa5b

Ip

3 total
  • 144.172.103.42
  • 45.61.134.36
  • 107.170.35.225

Ransomware.live

Recent claims

All published claims ↗

Reporting

Research mentioning Chaos

Jul 3
Teiss News

teiss - News - Ransomware gang threatens to leak employee data of Texas industrial firm Universal Plant Services

Chaos ransomware emerged in mid-2021 and operates on a ransomware-as-a-service model, in which its builder tool allows low-skill threat actors to generate customized ransomware campaigns without coding knowledge or dedicated infrastructure.

May 21
Securelist

Leaked ransomware variants give rise to new cybercrime groups | Securelist

While the Chaos ransomware variant copied itself to $ user \ $ appdata \ cmd . exe and launched a new process, the new process in turn created a new file in the startup folder.

May 21
Securelist

Twelve: from initial compromise to ransomware and wipers | Securelist

We also found that in some cases, attackers used a Trojan made from a leaked builder for the Chaos ransomware to encrypt files.

May 7
Scworld

Iranian threat group used Chaos ransomware as a ‘false flag,’ researchers say | news | SC Media

Chaos is a ransomware-as-a-service (RaaS) operation that has been active since February 2025 and mostly targets large organizations in the United States. Typical Chaos ransomware attacks involve double extortion, including both exfiltration and encryption of victim files.

May 7
The Record Media

Iranian government hackers using Chaos ransomware as cover, researchers say | The Record from Recorded Future News

Nation-state hackers from Iran are deploying the Chaos ransomware as cover for alleged espionage and data theft operations... The Chaos ransomware operation has existed since February 2025...

May 6
Security Affairs

Iranian cyber espionage disguised as a Chaos Ransomware attack

Victims were led to believe they were dealing with the Chaos ransomware group, which operates a leak site for stolen data. However, further investigation showed no ransomware had been deployed.

May 6
Bleeping Computer

MuddyWater hackers use Chaos ransomware as a decoy in attacks

The Chaos is a ransomware-as-a-service (RaaS) operation that emerged in 2025 and is known for big-game hunting attacks, double-extortion tactics, and social engineering campaigns mostly targeting organizations in the United States.

May 6
Rapid7

Muddying the Tracks: The State-Sponsored Shadow Behind Chaos Ransomware

In early 2026, a sophisticated intrusion initially appearing to be a standard Chaos ransomware attack was assessed to be consistent with a targeted state-sponsored operation. While the threat actor operated under the banner of the Chaos ransomware-as-a-service (RaaS) group, forensic analysis revealed the incident was a "false flag" masquerade.

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.