Chaos Inactive

Ransomware group first observed in 2020. Uses MegaSync for deployment.
PDF Report Back to Groups
0
Total Victims
2020-07-01
First Seen
2024-04-03
Last Seen
0
Known TTPs
29.9d
Avg Delay
0
Negotiations
ONION URLS
hptqq2o2qjva7lcaaq67w36jihzivkaitkexorauw7b2yul2z6zozpqd.onion
hptqq2o2qjva7lcaaq67w36jihzivkaitkexorauw7b2yul2z6zozpqd.onion
TOOLS
MegaSync Atera PowerShell Empire Brute Ratel TDSSKiller
FILE EXTENSIONS
.dark
ACTIVITY TIMELINE
TOP SECTORS
TOP COUNTRIES
ACTIVITY HEATMAP
Date Victim Name Country Sector Status
No victims recorded

No TTPs data

Chaos_rule_1 Elastic Security 
rule Chaos_ransomware_1 {
    meta:
        description = "Detects Chaos ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "d8d9639268aad84f3b91a4b71dcf9143bda932da005bc708a920bcb874e44c81"

    strings:
        $s0 = "BITCOIN" nocase
        $s1 = ".chaos" nocase
        $r2 = /README\..{3,10}/i
        $h3 = { 68 C9 59 EC E6 21 C3 77 FD 16 27 A6 2E CB D8 6D 58 4D 42 79 5E 0B 8 }
        $s4 = "AES-256" nocase
        $h5 = { F6 65 BF 74 04 69 0C 19 55 }
        $s6 = "RECOVER" nocase

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        3 of them
}
TypeValueDescriptionCopy
md5 cf667220e87d75245cc0949074091593 Associated with Chaos ransomware
email support551@cock.li Contact email - Chaos campaign
sha256 4f1143459079418edda28c1870bc96993057892f47253decd02547f892e24df6 Associated with Chaos ransomware
tox 9F2DCAA5B0EDC8CB1E6FF7349113DA4DADCAED1FB903D7C9A954DD89DCBD49B09C0B397DBB2E Associated with Chaos ransomware
sha1 6d423f050cfd51272378ac35b5199aaa8d72baf9 Dropper hash observed in Chaos attacks

No ransom notes