Md5
3 total160f60dc3fc9920cfc3847de4de2ef099113f4b245da32c75d61b467ee89e0b787fd821b67a1f329548f222d81a55be7
Chaos is used for ransomware in two separate contexts: a customizable ransomware builder first observed in 2021 and a ransomware-as-a-service operation that appeared in 2025.
Profile source: Ransomware.live opens in a new tabChaos
Chaos is used for ransomware in two separate contexts: a customizable ransomware builder first observed in 2021 and a ransomware-as-a-service operation that appeared in 2025. This profile excludes the unrelated Linux botnet that shares the Chaos name.
Ransomware.live
Ransomware.live
160f60dc3fc9920cfc3847de4de2ef099113f4b245da32c75d61b467ee89e0b787fd821b67a1f329548f222d81a55be77c4b465159e1c7dbbe67f0eeb3f58de1caba293999a49843a0818480f05be14e11cfea4100ba3731d859148d2011c7225d337db22797f7e111c0f2876e9864901d846592ffcc19ed03a34316520aa31369218a88afa4e17ac547686d0348aa5b144.172.103.4245.61.134.36107.170.35.225Ransomware.live
Reporting
Chaos ransomware emerged in mid-2021 and operates on a ransomware-as-a-service model, in which its builder tool allows low-skill threat actors to generate customized ransomware campaigns without coding knowledge or dedicated infrastructure.
While the Chaos ransomware variant copied itself to $ user \ $ appdata \ cmd . exe and launched a new process, the new process in turn created a new file in the startup folder.
We also found that in some cases, attackers used a Trojan made from a leaked builder for the Chaos ransomware to encrypt files.
Chaos is a ransomware-as-a-service (RaaS) operation that has been active since February 2025 and mostly targets large organizations in the United States. Typical Chaos ransomware attacks involve double extortion, including both exfiltration and encryption of victim files.
Nation-state hackers from Iran are deploying the Chaos ransomware as cover for alleged espionage and data theft operations... The Chaos ransomware operation has existed since February 2025...
Victims were led to believe they were dealing with the Chaos ransomware group, which operates a leak site for stolen data. However, further investigation showed no ransomware had been deployed.
The Chaos is a ransomware-as-a-service (RaaS) operation that emerged in 2025 and is known for big-game hunting attacks, double-extortion tactics, and social engineering campaigns mostly targeting organizations in the United States.
In early 2026, a sophisticated intrusion initially appearing to be a standard Chaos ransomware attack was assessed to be consistent with a targeted state-sponsored operation. While the threat actor operated under the banner of the Chaos ransomware-as-a-service (RaaS) group, forensic analysis revealed the incident was a "false flag" masquerade.
Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.