The CHAOS ransomware group has emerged as a highly agile threat actor focusing on "living-off-the-land" vulnerabilities and exploiting widely used remote management and perimeter security tools. Operating with a RaaS (Ransomware-as-a-Service) model, CHAOS affiliates appear to prioritize speed over stealth, with an average dwell time of 3–5 days from initial access to encryption.
- Aliases: None confirmed (likely a rebrand or new spinoff).
- Ransom Model: Double extortion (encryption + data leak).
- Demands: Varying widely by victim revenue, typically starting at $500k USD.
- Initial Access: Heavy reliance on external remote services (VPN/Firewalls) and Remote Monitoring and Management (RMM) software exploits. The group actively weaponizes CISA KEV-listed vulnerabilities immediately upon disclosure.
- Tactics: Post-exploitation involves rapid credential dumping, lateral movement via Cobalt Strike beacons, and data exfiltration via rclone before detonating the custom-built CHAOS encryptor.
Current Campaign Analysis
Based on dark web leak site telemetry from 2026-07-06 to 2026-07-08, CHAOS has claimed 4 victims, signaling a concentrated campaign against North American critical sectors.
Targeted Sectors & Geography
- Healthcare & Pharma: CorePharma (US) – Indicates high-value targeting for sensitive PII/PHI.
- Business Services: Opportune (US) – Likely access via managed service provider (MSP) overlapping infrastructure.
- Technology: GISY (US) – Potential supply chain jump or developer environment compromise.
- Transportation/Logistics: Air Creebec (CA) – First significant cross-border expansion in this campaign.
Vulnerability Analysis & CVE Correlation
This campaign coincides with the weaponization of critical CISA KEV vulnerabilities. The victim profile aligns perfectly with organizations running exposed perimeter management interfaces:
- Primary Vectors:
- Check Point Security Gateway (CVE-2026-50751): The IKEv1 improper auth vulnerability allows bypassing MFA/VPN protections, giving CHAOS direct internal network access.
- ConnectWise ScreenConnect (CVE-2024-1708): A path traversal bug enabling RCE. CHAOS is using this to hijack legitimate admin sessions in MSP environments.
- Secondary Vectors:
- Cisco Secure Firewall FMC (CVE-2026-20131) & Microsoft Exchange (CVE-2023-21529): Used for persistence and establishing web shells if primary access is detected or blocked.
Detection Engineering
Sigma Rules
title: Potential CHAOS Ransomware ScreenConnect Exploitation
id: 6a1b2c3d-4e5f-6789-0123-456789abcdef
description: Detects potential exploitation of ConnectWise ScreenConnect Path Traversal (CVE-2024-1708) often used by CHAOS for initial access.
status: experimental
date: 2026/07/09
author: Security Arsenal Research
logsource:
category: webserver
detection:
selection:
c-uri|contains:
- '/SetupWizard.aspx'
- '/Host//'
- '../'
condition: selection
falsepositives:
- Legitimate administrative misconfiguration
level: high
tags:
- attack.initial_access
- cve.2024.1708
- ransomware.chaos
---
title: Check Point VPN IKEv1 Anomalous Authentication
id: 7b2c3d4e-5f6a-7890-1234-567890abcdef
description: Detects IKEv1 key exchange anomalies associated with CVE-2026-50751 exploitation attempts by CHAOS actors.
status: experimental
date: 2026/07/09
author: Security Arsenal Research
logsource:
product: firewall
vendor: check_point
detection:
selection_ike:
protocol: 'ike'
ike_version: 'v1'
selection_auth_bypass:
action: 'accept'
|count:
by: src_ip
# Threshold: > 10 successful IKEv1 connections from single IP in 1m
timeframe: 1m
condition: > 10
condition: selection_ike and selection_auth_bypass
falsepositives:
- Legacy VPN clients
- Misconfigured VPN peers
level: critical
tags:
- attack.initial_access
- cve.2026.50751
- ransomware.chaos
---
title: Suspicious Exchange PowerShell Deserialization
id: 8c3d4e5f-6a7b-8901-2345-678901bcdef
description: Detects PowerShell commands often used post-exploitation of CVE-2023-21529 on Exchange servers, common in CHAOS lateral movement.
status: experimental
date: 2026/07/09
author: Security Arsenal Research
logsource:
product: windows
service: security
detection:
selection:
EventID: 4688
NewProcessName|endswith: '\powershell.exe'
CommandLine|contains:
- 'New-ManagedFolder'
- 'Get-ManagementRoleEntry'
- 'SerializationBinder'
condition: selection
falsepositives:
- Exchange Admin Automation
level: high
tags:
- attack.execution
- cve.2023.21529
- ransomware.chaos
KQL (Microsoft Sentinel)
// Hunt for CHAOS lateral movement and staging activity
// Look for large scale file operations (data staging) common before encryption
DeviceFileEvents
| where InitiatingProcessFileName in ("powershell.exe", "cmd.exe", "rclone.exe", "robocopy.exe")
| where ActionType == "FileCreated"
| where FileSize > 1000000 // > 1MB
| where FolderPath contains "\\" or FolderPath contains "ProgramData"
| summarize Count=count(), FileSizeSum=sum(FileSize) by DeviceName, InitiatingProcessAccountName, bin(Timestamp, 5m)
| where Count > 50 // High volume of file creation indicates staging
| extend AlertMessage = "Potential CHAOS Ransomware Data Staging Detected"
PowerShell Response Script
<#
.SYNOPSIS
Rapid Response Hardening Script for CHAOS Campaign Indicators.
.DESCRIPTION
Checks for suspicious scheduled tasks, RDP exposure, and recent Shadow Copy manipulations.
#>
Write-Host "[+] Starting CHAOS Ransomware Response Hardening..." -ForegroundColor Cyan
# 1. Check for RDP Exposure (Port 3389)
$RDPListeners = Get-NetTCPConnection -LocalPort 3389 -State Listen -ErrorAction SilentlyContinue
if ($RDPListeners) {
Write-Host "[!] ALERT: RDP (Port 3389) is Listening on the following addresses:" -ForegroundColor Red
$RDPListeners | Select-Object -ExpandProperty LocalAddress
} else {
Write-Host "[+] RDP is not listening." -ForegroundColor Green
}
# 2. Enumerate Suspicious Scheduled Tasks (Last 7 Days)
$DateCutoff = (Get-Date).AddDays(-7)
Write-Host "[+] Checking for Scheduled Tasks created/modified in the last 7 days..." -ForegroundColor Cyan
Get-ScheduledTask | Where-Object { $_.Date -gt $DateCutoff } |
ForEach-Object {
$TaskInfo = $_.TaskPath + "\" + $_.TaskName
$Action = $_.Actions.Execute
Write-Host "[!] Suspicious Task Found: $TaskInfo" -ForegroundColor Yellow
Write-Host " Action: $Action"
}
# 3. Check Volume Shadow Copy Manipulations (VssAdmin)
Write-Host "[+] Checking VSS Admin usage events in System Log..." -ForegroundColor Cyan
$VssEvents = Get-WinEvent -FilterHashtable @{LogName='System'; ProviderName='VSS'; StartTime=$DateCutoff} -ErrorAction SilentlyContinue
if ($VssEvents) {
Write-Host "[!] Found recent VSS Admin operations (Shadow Copy activity):" -ForegroundColor Yellow
$VssEvents | Select-Object TimeCreated, Message | Format-Table -Wrap
} else {
Write-Host "[+] No recent suspicious VSS activity found." -ForegroundColor Green
}
Write-Host "[+] Hardening Script Complete." -ForegroundColor Cyan
Incident Response Priorities
-
T-Minus Detection Checklist:
- ConnectWise ScreenConnect: Immediately isolate any ScreenConnect servers. Check web logs for
/SetupWizard.aspxor path traversal strings (%2e%2e). - Check Point Gateways: Review VPN logs for successful IKEv1 connections bypassing MFA in the last 48 hours.
- Exchange Servers: Hunt for
CmdletNew-ManagedFolderorNew-MailboxExportRequestactivity for non-admin accounts.
- ConnectWise ScreenConnect: Immediately isolate any ScreenConnect servers. Check web logs for
-
Critical Assets for Exfil:
- CHAOS historically prioritizes PII/PHI databases (Healthcare targets) and ** intellectual property/SRC code** (Technology targets).
- Look for large egress traffic on non-standard ports (e.g., port 80/443 using user-agents mimicking browsers but high volume).
-
Containment Actions:
- Immediate: Disable all external RDP and VPN access for admin accounts; enforce MFA (YubiKey) for all re-enabling.
- Urgent: Patch CVE-2024-1708 and CVE-2026-50751 immediately on internet-facing assets.
- Secondary: Reset credentials for Service Accounts associated with Exchange and firewall management.
Hardening Recommendations
Immediate (24h)
- Patch Management: Deploy patches for CVE-2026-50751 (Check Point) and CVE-2024-1708 (ConnectWise) to all internet-facing edge devices.
- Network Segmentation: Enforce strict egress filtering; block RDP (3389), SMB (445), and WinRM (5985/5986) from the internet.
- MFA Enforcement: Require phishing-resistant MFA for all VPN and Remote Management (RMM) logins.
Short-term (2 weeks)
- Architecture: Implement a Privileged Access Workstation (PAW) model. Admins should not manage RMM/Firewall interfaces from standard user endpoints.
- Monitoring: Deploy specific detection rules for path traversal on internal management consoles (不仅仅限于 ScreenConnect).
- Backup Integrity: Verify offline backups are immutable and conduct a test restoration for the most critical healthcare/business data sets.
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.