Cybersecurity researchers at Fortinet’s FortiGuard Labs have found that the already destructive Chaos ransomware has taken a worrying turn, becoming faster and far more aggressive than before.
This new version, known as Chaos-C++ ransomware, emerged in 2025. It targets Microsoft Windows users and represents a significant shift, as it is believed to be the first version of the malware not written in the .NET programming language. Instead, its creation in C++ allows it to execute destructive actions at increased speed.
The Evolution of Chaos Ransomware
The Chaos ransomware family’s older variants, like Chaos_2021, BlackSnake, and Lucky_Gh0$t, were crude and unreliable; they frequently acted as unintentional wiper malware, simply deleting large files while encrypting small ones (< 2 MB in some cases). The new variant changes the game completely.
Instead of slowly encrypting everything, it surgically skips files between 50 MB and 1.3 GB. Its primary goal is speed, allowing it to hit the network and disappear before security systems can react. It focuses on massive, high-value files (like server backups) over 1.3 GB and instantly deletes them without any attempt at encryption. This ensures the maximum amount of damage with zero chance of recovery.
As per FortiGuard Labs’ analysis, shared with Hackread.com, this unusual strategy means the largest, most critical files are rendered unrecoverable, regardless of whether a ransom is paid. In short, Chaos-C++ is built for speed and maximum irreversible destruction.
The researchers note that this destructive variant has effectively perfected the wiper behaviour seen inconsistently in its predecessors, shifting the focus from financial extortion to maximising damage/speed.
It is distributed via a fake tool called System Optimizer v2.1, tricking users into installing the malware while it runs in the background. The attack culminates with the malware dropping a ransom note in the affected directories, demanding payment and providing contact information.
Stealing Cryptocurrency
Further probing revealed that Chaos-C++ also introduces a new, sneaky function of clipboard hijacking. This is a mechanism mainly designed for cryptocurrency theft. When a user copies a Bitcoin wallet address to their clipboard, for example, to paste it for a payment, the ransomware checks the address’s format.
If it recognises a valid Bitcoin wallet, it automatically swaps it with a hardcoded address belonging to the attacker. As a result, any cryptocurrency payment a victim attempts to make is redirected straight to the criminal’s wallet.
It shows how ransomware continues to evolve to become “faster, smarter, and more dangerous,” researchers conclude. To avoid becoming a victim, users are advised to be extremely cautious of downloading and running any unauthorised software.
