Back to Intelligence

CHAOS Ransomware: 4-Victim Surge in North America — Firewall & RMM Exploitation

SA
Security Arsenal Team
July 8, 2026
6 min read

The CHAOS ransomware group has emerged as a highly agile threat actor focusing on "living-off-the-land" vulnerabilities and exploiting widely used remote management and perimeter security tools. Operating with a RaaS (Ransomware-as-a-Service) model, CHAOS affiliates appear to prioritize speed over stealth, with an average dwell time of 3–5 days from initial access to encryption.

  • Aliases: None confirmed (likely a rebrand or new spinoff).
  • Ransom Model: Double extortion (encryption + data leak).
  • Demands: Varying widely by victim revenue, typically starting at $500k USD.
  • Initial Access: Heavy reliance on external remote services (VPN/Firewalls) and Remote Monitoring and Management (RMM) software exploits. The group actively weaponizes CISA KEV-listed vulnerabilities immediately upon disclosure.
  • Tactics: Post-exploitation involves rapid credential dumping, lateral movement via Cobalt Strike beacons, and data exfiltration via rclone before detonating the custom-built CHAOS encryptor.

Current Campaign Analysis

Based on dark web leak site telemetry from 2026-07-06 to 2026-07-08, CHAOS has claimed 4 victims, signaling a concentrated campaign against North American critical sectors.

Targeted Sectors & Geography

  • Healthcare & Pharma: CorePharma (US) – Indicates high-value targeting for sensitive PII/PHI.
  • Business Services: Opportune (US) – Likely access via managed service provider (MSP) overlapping infrastructure.
  • Technology: GISY (US) – Potential supply chain jump or developer environment compromise.
  • Transportation/Logistics: Air Creebec (CA) – First significant cross-border expansion in this campaign.

Vulnerability Analysis & CVE Correlation

This campaign coincides with the weaponization of critical CISA KEV vulnerabilities. The victim profile aligns perfectly with organizations running exposed perimeter management interfaces:

  • Primary Vectors:
    • Check Point Security Gateway (CVE-2026-50751): The IKEv1 improper auth vulnerability allows bypassing MFA/VPN protections, giving CHAOS direct internal network access.
    • ConnectWise ScreenConnect (CVE-2024-1708): A path traversal bug enabling RCE. CHAOS is using this to hijack legitimate admin sessions in MSP environments.
  • Secondary Vectors:
    • Cisco Secure Firewall FMC (CVE-2026-20131) & Microsoft Exchange (CVE-2023-21529): Used for persistence and establishing web shells if primary access is detected or blocked.

Detection Engineering

Sigma Rules

YAML
title: Potential CHAOS Ransomware ScreenConnect Exploitation
id: 6a1b2c3d-4e5f-6789-0123-456789abcdef
description: Detects potential exploitation of ConnectWise ScreenConnect Path Traversal (CVE-2024-1708) often used by CHAOS for initial access.
status: experimental
date: 2026/07/09
author: Security Arsenal Research
logsource:
    category: webserver
detection:
    selection:
        c-uri|contains:
            - '/SetupWizard.aspx'
            - '/Host//'
            - '../'
    condition: selection
falsepositives:
    - Legitimate administrative misconfiguration
level: high
tags:
    - attack.initial_access
    - cve.2024.1708
    - ransomware.chaos
---
title: Check Point VPN IKEv1 Anomalous Authentication
id: 7b2c3d4e-5f6a-7890-1234-567890abcdef
description: Detects IKEv1 key exchange anomalies associated with CVE-2026-50751 exploitation attempts by CHAOS actors.
status: experimental
date: 2026/07/09
author: Security Arsenal Research
logsource:
    product: firewall
    vendor: check_point
detection:
    selection_ike:
        protocol: 'ike'
        ike_version: 'v1'
    selection_auth_bypass:
        action: 'accept'
        |count:
            by: src_ip
            # Threshold: > 10 successful IKEv1 connections from single IP in 1m
            timeframe: 1m
            condition: > 10
    condition: selection_ike and selection_auth_bypass
falsepositives:
    - Legacy VPN clients
    - Misconfigured VPN peers
level: critical
tags:
    - attack.initial_access
    - cve.2026.50751
    - ransomware.chaos
---
title: Suspicious Exchange PowerShell Deserialization
id: 8c3d4e5f-6a7b-8901-2345-678901bcdef
description: Detects PowerShell commands often used post-exploitation of CVE-2023-21529 on Exchange servers, common in CHAOS lateral movement.
status: experimental
date: 2026/07/09
author: Security Arsenal Research
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 4688
        NewProcessName|endswith: '\powershell.exe'
        CommandLine|contains:
            - 'New-ManagedFolder'
            - 'Get-ManagementRoleEntry'
            - 'SerializationBinder'
    condition: selection
falsepositives:
    - Exchange Admin Automation
level: high
tags:
    - attack.execution
    - cve.2023.21529
    - ransomware.chaos

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for CHAOS lateral movement and staging activity
// Look for large scale file operations (data staging) common before encryption
DeviceFileEvents
| where InitiatingProcessFileName in ("powershell.exe", "cmd.exe", "rclone.exe", "robocopy.exe")
| where ActionType == "FileCreated" 
| where FileSize > 1000000 // > 1MB
| where FolderPath contains "\\" or FolderPath contains "ProgramData"
| summarize Count=count(), FileSizeSum=sum(FileSize) by DeviceName, InitiatingProcessAccountName, bin(Timestamp, 5m)
| where Count > 50 // High volume of file creation indicates staging
| extend AlertMessage = "Potential CHAOS Ransomware Data Staging Detected"

PowerShell Response Script

PowerShell
<#
.SYNOPSIS
    Rapid Response Hardening Script for CHAOS Campaign Indicators.
.DESCRIPTION
    Checks for suspicious scheduled tasks, RDP exposure, and recent Shadow Copy manipulations.
#>

Write-Host "[+] Starting CHAOS Ransomware Response Hardening..." -ForegroundColor Cyan

# 1. Check for RDP Exposure (Port 3389)
$RDPListeners = Get-NetTCPConnection -LocalPort 3389 -State Listen -ErrorAction SilentlyContinue
if ($RDPListeners) {
    Write-Host "[!] ALERT: RDP (Port 3389) is Listening on the following addresses:" -ForegroundColor Red
    $RDPListeners | Select-Object -ExpandProperty LocalAddress
} else {
    Write-Host "[+] RDP is not listening." -ForegroundColor Green
}

# 2. Enumerate Suspicious Scheduled Tasks (Last 7 Days)
$DateCutoff = (Get-Date).AddDays(-7)
Write-Host "[+] Checking for Scheduled Tasks created/modified in the last 7 days..." -ForegroundColor Cyan
Get-ScheduledTask | Where-Object { $_.Date -gt $DateCutoff } | 
    ForEach-Object {
        $TaskInfo = $_.TaskPath + "\" + $_.TaskName
        $Action = $_.Actions.Execute
        Write-Host "[!] Suspicious Task Found: $TaskInfo" -ForegroundColor Yellow
        Write-Host "    Action: $Action"
    }

# 3. Check Volume Shadow Copy Manipulations (VssAdmin)
Write-Host "[+] Checking VSS Admin usage events in System Log..." -ForegroundColor Cyan
$VssEvents = Get-WinEvent -FilterHashtable @{LogName='System'; ProviderName='VSS'; StartTime=$DateCutoff} -ErrorAction SilentlyContinue
if ($VssEvents) {
    Write-Host "[!] Found recent VSS Admin operations (Shadow Copy activity):" -ForegroundColor Yellow
    $VssEvents | Select-Object TimeCreated, Message | Format-Table -Wrap
} else {
    Write-Host "[+] No recent suspicious VSS activity found." -ForegroundColor Green
}

Write-Host "[+] Hardening Script Complete." -ForegroundColor Cyan

Incident Response Priorities

  1. T-Minus Detection Checklist:

    • ConnectWise ScreenConnect: Immediately isolate any ScreenConnect servers. Check web logs for /SetupWizard.aspx or path traversal strings (%2e%2e).
    • Check Point Gateways: Review VPN logs for successful IKEv1 connections bypassing MFA in the last 48 hours.
    • Exchange Servers: Hunt for CmdletNew-ManagedFolder or New-MailboxExportRequest activity for non-admin accounts.
  2. Critical Assets for Exfil:

    • CHAOS historically prioritizes PII/PHI databases (Healthcare targets) and ** intellectual property/SRC code** (Technology targets).
    • Look for large egress traffic on non-standard ports (e.g., port 80/443 using user-agents mimicking browsers but high volume).
  3. Containment Actions:

    • Immediate: Disable all external RDP and VPN access for admin accounts; enforce MFA (YubiKey) for all re-enabling.
    • Urgent: Patch CVE-2024-1708 and CVE-2026-50751 immediately on internet-facing assets.
    • Secondary: Reset credentials for Service Accounts associated with Exchange and firewall management.

Hardening Recommendations

Immediate (24h)

  • Patch Management: Deploy patches for CVE-2026-50751 (Check Point) and CVE-2024-1708 (ConnectWise) to all internet-facing edge devices.
  • Network Segmentation: Enforce strict egress filtering; block RDP (3389), SMB (445), and WinRM (5985/5986) from the internet.
  • MFA Enforcement: Require phishing-resistant MFA for all VPN and Remote Management (RMM) logins.

Short-term (2 weeks)

  • Architecture: Implement a Privileged Access Workstation (PAW) model. Admins should not manage RMM/Firewall interfaces from standard user endpoints.
  • Monitoring: Deploy specific detection rules for path traversal on internal management consoles (不仅仅限于 ScreenConnect).
  • Backup Integrity: Verify offline backups are immutable and conduct a test restoration for the most critical healthcare/business data sets.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebransomware-gangchaoschaos-ransomwareransomware-intelcisa-kevhealthcareransomware

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.