Researchers from Fortinet’s FortiGuard Labs have uncovered a troubling development in the world of ransomware: the Chaos ransomware has evolved into a more rapid and aggressive variant known as Chaos-C++. This alarming progression marks a significant shift in its operational strategy since it is reportedly the first iteration not built using the .NET programming language, but instead utilizing C++, enabling it to execute harmful actions at a notably accelerated pace.
Emerging in 2025, Chaos-C++ primarily targets users of Microsoft Windows, indicating a focus on widely used platforms. This iteration represents a profound departure from previous versions such as Chaos_2021, BlackSnake, and Lucky_Gh0$t, which were notorious for their ineffectiveness and propensity to unintentionally wipe data by deleting large files while attempting to encrypt smaller ones. In contrast, Chaos-C++ is constructed for precision and speed.
The new variant changes the dynamics of ransomware attacks; rather than methodically encrypting all files, it strategically bypasses files ranging from 50 MB to 1.3 GB in size. Its objective is to strike quickly, often compromising a network and withdrawing before security defenses can respond. The ransomware zeroes in on substantial, high-value files, particularly server backups over 1.3 GB, opting for instantaneous deletion rather than encryption. This approach ensures maximal destruction, leaving victims with virtually no chance of data recovery.
The analysis by FortiGuard Labs underscores a marked evolution in the Chaos ransomware family, showcasing the newfound tendency toward devastating wiper capabilities that redefine financial extortion. Many of the tactics previously evident in prior iterations have coalesced into a focused strategy, aiming at inflicting maximum damage rather than solely pursuing monetary gain.
Installation of this malicious software often occurs via a deceptive tool dubbed System Optimizer v2.1, which lures users into unwittingly executing the ransomware while it operates silently in the background. The attack culminates with the distribution of a ransom note within compromised directories, outlining the demanded payment and providing contact details for the perpetrators.
The Cryptocurrency Threat
In a further examination of its functionalities, Chaos-C++ has introduced a clipboard hijacking feature designed for cryptocurrency theft. When a victim copies a Bitcoin wallet address for transactions, the ransomware scans the clipboard for valid wallet formats. Upon identifying a legitimate Bitcoin address, it replaces it with a hardcoded address belonging to the attacker. Consequently, any cryptocurrency transaction the victim attempts to make is funneled directly to the criminal’s account.
This incident exemplifies the ongoing transformation of ransomware, reinforcing claims that it is becoming increasingly “faster, smarter, and more dangerous.” With this rapid evolution, business owners must remain vigilant against unauthorized software downloads and installations.
As this incident unfolds, it stands as a reminder of the evolving landscape of cyber threats, necessitating heightened awareness and proactive measures among all stakeholders. The potential tactics implicated in such attacks may align with the MITRE ATT&CK framework, including adversarial strategies for initial access, execution, and data destruction.
