A new ransomware-as-a-service group called Chaos has emerged following the seizure of BlackSuit’s dark web infrastructure, and researchers believe the two are likely connected.

Cisco Talos reported that Chaos, which surfaced in February 2025, shares notable overlaps with BlackSuit, including encryption parameters, ransom note structure, and use of remote access tools. “Chaos RaaS actors initiated low-effort spam flooding, escalating to voice-based social engineering for access,” the researchers said, noting how victims are tricked into installing remote desktop software like Microsoft Quick Assist.

BlackSuit was taken offline this week as part of Operation Checkmate, an international effort that disrupted its negotiation portals and data leak sites. The FBI and Department of Justice also seized over $2.4 million in cryptocurrency tied to a Chaos-linked wallet.

Cisco Talos assessed with moderate confidence that Chaos is either a rebrand or is operated by former BlackSuit members. The ransomware uses multithreaded selective encryption, evades analysis tools, and targets both local and network systems to increase impact and avoid detection. Its tactics mirror BlackSuit’s use of RMM tools such as AnyDesk and ScreenConnect and encryption commands that differ in name but not in function.

Bitdefender, which assisted in the BlackSuit takedown, described the group as a private operation with over 185 victims since 2023. “The disruption of BlackSuit’s infrastructure marks another important milestone in the fight against organized cybercrime,” said a spokesperson for its Draco Team.

Chaos has reportedly demanded ransoms as high as $300,000, offering decryptors along with a “detailed penetration overview” for victims. The group claims breaches, including the Salvation Army and Optima Tax Relief.

Despite a 43% drop in global ransomware incidents from Q1 to Q2 2025, groups like Chaos are stepping into the void left by law enforcement takedowns. As Matt Hull of NCC Group put it, “The volume of victims being exposed on ransomware leak sites might be declining, but this doesn’t mean threats are reduced.”