Threat Intelligence Report September 23 - September 29 2025

Chaos Ransomware

Chaos” here refers to the new RaaS group active in 2025 (not the old Chaos/Yashma builder). The operation conducts classic big-game-hunting/double-extortion. Within Sep 20–28, 2025, multiple public sandboxes captured fresh Chaos encryptors and a new victim claim (AMS Fulfillment) on the group’s data-leak site. These samples exhibit the same playbook: inhibit recovery (wbadmin, bcdedit), rename/encrypt files, drop a read_it.txt note, and, in some runs, touch browser credential stores.

Detailed TTPs

Initial Access

• Voice-phishing (helpdesk/social engineering) to coerce remote-assist access or MFA push approval.
• Compromised credentials (valid accounts) from stealer logs or prior breaches used on VPN/SSO/RDP.
• Opportunistic phishing with links to loader/launcher hosted on throwaway infra.

Detections: spikes in admin/SaaS logins from Tor/VPN ranges; anomalous MFA approvals; helpdesk tickets tied to “remote assist” requests; first-seen logins on RDP/VPN from atypical geos.

Execution

• Windows: LOLBIN-based scripts invoke recovery inhibition (bcdedit, wbadmin) and launch encryptor; batch/PowerShell wrappers.
• Linux/ESXi: shell scripts to stage and execute encryptor; parallelised worker threads for fast impact.

Detections: process-chains invoking bcdedit/wbadmin; unsigned executables launched from user profile/temp; unknown shell scripts on hypervisors; sudden high-entropy writes on datastores.

Persistence

• Startup folder drop of ransom note/launcher; registry Run/RunOnce keys.
• RMM tool abuse (ScreenConnect/AnyDesk) or added SSH keys on servers/hypervisors.

Detections: new binaries/shortcuts in Startup paths; fresh Run*/Scheduled Task entries; newly installed or side-loaded RMM agents; unexpected authorized_keys entries.

Privilege Escalation

• Use of already-privileged stolen creds; on Windows, attempts to dump LSASS or exploit local privesc to reach admin.

Detections: abnormal LSASS access; token/manipulation events; privilege assignment to unusual accounts; driver/service creation from non-IT users.

Discovery

• Environment scoping: AD group/user enumeration; share walks; vCenter/ESXi inventory queries; system/locale checks (for geo-fencing).

Detections: enumeration of domain admins from non-IT endpoints; aggressive SMB share listing; unusual vCenter API queries; registry reads of locale/geo keys.

Command-and-Control

• Short-lived VPS/Tor infrastructure for operator control and negotiation site access; occasional RMM backchannels.

Detections: egress to Tor directory/bridge IPs; first-seen TLS SNI/JA3 to low-reputation VPS ASNs; beacon-like RMM traffic from non-admin hosts.

Impact

• Inhibit recovery (delete backups, alter boot recovery) prior to encryption.
• Multi-threaded selective encryption; ransom note drop (e.g., read_it.txt), file rename/extension change, data-leak extortion.

Detections: bcdedit/wbadmin/vssadmin telemetry; sharp spike in rename/write/entropy metrics; ransom note file creation in user and Startup paths; VM snapshot disablement on hypervisors.

MITRE ATT&CK Mapping

Tactic	Technique (ID)	What it looks like	Fast detection
Initial Access	Phishing/Vishing (T1566)	User coerced to grant help/approve prompts	First-time Quick Assist/RMM by non-IT; odd MFA approvals
Initial Access	Valid Accounts (T1078)	Stolen creds used on VPN/SSO	New geo/ASN; off-hours admin logons
Execution	Cmd/PowerShell (T1059)	Scripts staging/running encryptor	Script-block anomalies → burst of file writes
Execution	Remote Access Software (T1219)	AnyDesk/ScreenConnect/Quick Assist	New RMM installs/sessions from user hosts
Persistence	Startup/Run Keys (T1547.001)	Note/artifacts in Startup; autoruns	Writes to Startup/Run by non-installer
Priv. Esc.	Privileged Accounts (T1078.004)	Elevated creds to push payloads	Lateral admin logons from user boxes
Discovery	Query Registry (T1012)	Locale/geo checks (e.g., Geo\Nation)	Non-system reads of locale keys
Discovery	System/Network (T1082/T1016)	Host/AD/share/VM enumeration	Bursts of systeminfo, nltest, LDAP/SMB
Lateral Move	Remote Services: RDP/SMB (T1021.001/.002)	RDP, PsExec/WMI spread	New RDP, PsExec/WMI by non-IT
Def. Evasion	Impair Defences (T1562.001)	Stop AV/EDR; tamper services	EDR heartbeat drop; service stops
Def. Evasion / Impact	Inhibit Recovery (T1490)	wbadmin catalog delete; bcdedit tweaks	wbadmin/bcdedit outside maintenance windows
Def. Evasion	Clear Logs / Delete (T1070.001/.004)	Log clears; cleanup	Sudden log size shrink; mass temp deletes
Collection	Data from Local (T1005)	Stage archives for leak	Large archives in temp/profile paths
Exfiltration	To Cloud/Web (T1567.002/.003)	Sync/HTTPS to leak infra	Large egress to new SaaS/endpoints
C2	Proxy (T1090)	Tor/VPN relays, reverse tunnels	Tor bootstrap; unusual VPN ASN
Impact	Encrypt for Impact (T1486)	Multithreaded encryption, renames	Rapid rename/entropy spikes across dirs

Chaos Ransomware IOCs & Samples

SHA256

cd5df020000e93724880669c9daaeca26ecd56183667e630241aee095df16e1b

3082203c16b5c5459ae9fe55000b05a65dd143a4289934bc01dd773651698bc4

MD5

a64d9a528e1c5fc1d0a190c07d6d7571

fb6c58eb6d6ee199ad61a5b7f2f3d574

SHA1

955a91c639b2664bcf2f69c1f985136eeba5b401

b9678933f670d9c5e3b19bd974631605eb4f3853

# Ransom note & artefacts

FILE: read_it.txt

PATHS:

C:\Users\<user>\Documents\read_it.txt

BTC ADDRESS:

bc1qlnzcep4l4ac0ttdrq7awxev9ehu465f2vpt9x0

Infrastructure / Leak

DLS (Tor):

hptqq2o2qjva7lcaaq67w36jihzivkaitkexorauw7b2yul2z6zozpqd.onion

amsfulfillment.com (discovered: 2025-09-24)

IP

144.172.103.42

45.61.134.36

107.170.35.225

File Server:

http://httj32vkww42kq3kjbsbuuv2izalkvswuyf5hepdodakrjq42ploe6ad.onion/ http://2yxf2ald2c67twt4663piypum2fu6yt4su453naxsdiilpd4m7pgu6qd.onion/ http://k6wtpxwq72gpeil5hqofae7yhbtxphbkyoe2g7rwmpx5sadc4sgsfvid.onion/

Admin Server:
http://cdgi6zjox6zr5epk7k5rg673qduxy7dlkk7ws3n4vusspr5bmhx24aqd.onion/

Mitigation:

• Block/alert: wbadmin.exe, bcdedit.exe, vssadmin.exe outside maint. windows; auto-isolate on trigger.
• Ransomware heuristics ON: mass-rename, shadow-copy deletion, ransom-note drop → quarantine host.
• Lock persistence: deny writes to ...\Startup\* and HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run*.
• WDAC/AppLocker allow-list; PowerShell v2 disabled, Constrained Language + ScriptBlock logging enabled.

Identity

• Phishing-resistant MFA on VPN/SSO; no legacy auth.
• Tiered admin + PAWs; alert on new local/domain admins or privileged token reuse.

Network (CE 5.5 IDS/IPS)

• Egress deny: Tor, new VPN ASNs, unsanctioned cloud storage/file-sharing.
• Segment backups; block SMB admin shares from user VLANs; rate-limit east-west RDP/SMB/WMI.
• Add CE 5.5 sigs for known Chaos DLS/C2 and onion gateways; sinkhole on match.

Backups

• Immutable + offline; weekly restore drills; protect ESXi/vCenter with a separate admin domain.

Detections (quick rules)

• Match strings/CLI: wbadmin delete catalog • bcdedit /set {default} recoveryenabled No • vssadmin delete shadows.
• First-seen RDP between workstations; PsExec/WMI by non-IT; sudden large archives in %TEMP%/profiles.
• File create: read_it.txt across hosts (ransom note).

IR playbook (one-liner)

• Trigger → isolate host, capture volatile, block observed IOCs/BTC, hunt lateral movement, rotate creds, verify backups, start comms/legal.

Ransomware Victims Worldwide

The United States continues to dominate the global ransomware landscape, accounting for 65.04% of all reported victims this week. This overwhelming concentration underscores its ongoing status as the most attractive target for threat actors due to its vast digital infrastructure, financial leverage, and interlinked supply chains.

Germany ranked second with 7.32%, highlighting its industrial strength and role as a key European hub for advanced manufacturing and critical sectors. Australia followed at 4.07%, maintaining its position as a consistent Asia-Pacific target. Canada also featured prominently with 3.25%, further reflecting the North American concentration of ransomware incidents.

Other notable nations included Brazil (2.44%), Italy (1.63%), Spain (1.63%), and France (0.81%), reinforcing Europe and Latin America as key secondary targets for ransomware groups.

A wide distribution of smaller-scale incidents (each 0.81%) was observed across Aruba, Turkey, Finland, Morocco, China, United Arab Emirates, New Zealand, Slovakia, Mexico, Cyprus, Singapore, Taiwan, United Kingdom, Dominican Republic, Barbados, India, and Argentina. While these countries contribute modestly to the global tally, they highlight ransomware’s opportunistic reach, extending into both advanced economies and smaller nations.