For years, the digital security playbook has been relatively straightforward: when a company sees a ransomware note, they assume a criminal gang is hunting for a payday. But a new wave of intrusions suggests that some of the world’s most sophisticated state actors are now using that very assumption as a smoke screen.
According to new research from cybersecurity firm Rapid7, hackers tied to the Iranian government are deploying Chaos ransomware not to collect money, but to hide espionage and data theft operations. By mimicking the behavior of cybercriminals, these actors create a “false flag” that complicates attribution and distracts incident responders while the real theft occurs in the background.
The findings center on a recent intrusion attributed to MuddyWater, an Advanced Persistent Threat (APT) group linked to Iran’s Ministry of Intelligence and Security (MOIS). While the attack initially bore all the hallmarks of a standard ransomware hit, investigators found that the “ransomware” element was largely a performance designed to obscure the operation’s true intent.
The “Tell” in the Ransomware Performance
The deception began with a social engineering campaign that targeted employees via Microsoft Teams. Rather than using a malicious link or file, the attackers used a more human approach: they initiated one-on-one conversations through external chat requests to build a rapport with the victims.
Once trust was established, the hackers convinced employees to enter a screen-sharing session. During these sessions, the attackers guided users to reveal VPN configuration files and enter their credentials, granting the hackers a direct door into the corporate network. To maintain their hold, the group deployed remote management tools, allowing them to move laterally through the system and exfiltrate sensitive data.
The “ransomware” phase came last. After the data had already been stolen, the hackers sent clumsy extortion emails to employees, threatening to leak the information unless a ransom was paid. However, Rapid7 researchers noted a glaring inconsistency: the hackers never actually encrypted the company’s files. In a genuine ransomware attack, encryption is the primary lever of power. Here, it was omitted entirely.
“The use of the Chaos ransomware reflects a consistent effort to obscure operational intent and complicate attribution,” said Alexandra Blia and Ivan Feigl, the Rapid7 researchers who analyzed the breach. They noted that the lack of encryption and the awkward nature of the extortion process were key indicators that the attack was not financially motivated.
A Strategic Shift Toward Plausible Deniability
The adoption of the Chaos brand—believed to be the work of former members of the defunct Royal and BlackSuit ransomware groups—allows state actors like MuddyWater to operate with a degree of plausible deniability. If an attack looks like the work of a known criminal gang, the victim is more likely to engage a ransomware negotiator than to alert national intelligence agencies.
This convergence of state-sponsored espionage and criminal tradecraft is part of a broader global trend. By utilizing the Ransomware-as-a-Service (RaaS) framework, nation-states can blend into the “noise” of the global cybercrime ecosystem.
| Feature | Traditional Cybercrime | State-Cover Operation |
|---|---|---|
| Primary Goal | Financial profit/extortion | Espionage, data theft, or disruption |
| Encryption | Essential for leverage | Often omitted or used as a distraction |
| Attribution | Linked to criminal syndicates | Mimics criminals to hide state origin |
| End Game | Payment of ransom | Long-term access or intelligence gathering |
The Global Blueprint for Deception
Iran is not alone in this strategy. Security agencies have observed similar patterns across other geopolitical adversaries. North Korean state hackers have been linked to the use of Medusa ransomware, while Chinese espionage groups have frequently used ransomware as a cover to mask the theft of intellectual property.
The FBI has previously warned that some Iranian government hackers are “double-dipping”—using their official state access to launch financially motivated attacks on the side, essentially moonlighting as cybercriminals to monetize their skills. This overlap makes it increasingly challenging for defenders to determine if they are facing a thief, a spy, or both.
The danger of this trend is that it delays the correct response. When a company believes This proves dealing with a criminal gang, the priority is recovery and negotiation. When the attacker is actually a state-sponsored group like MuddyWater, the priority should be identifying what intelligence was stolen and how the adversary is still positioned within the network for future disruptive operations.
The Rapid7 report highlights that MuddyWater has intensified its reliance on these deceptive operations as it increases its activity across Western and Middle Eastern networks, often prepositioning itself for disruptive strikes during periods of heightened geopolitical tension.
Cybersecurity professionals are advised to monitor for unusual social engineering patterns on collaboration platforms like Microsoft Teams and to treat “ransomware” incidents with skepticism if the technical markers—such as file encryption—are missing.
Further technical details and indicators of compromise (IoCs) related to MuddyWater’s latest campaigns are available through the official Rapid7 research portal and the Recorded Future Intelligence Cloud.
The cybersecurity community continues to track the evolution of the Chaos ransomware brand, with the next major update expected as more victims come forward to share forensic data with threat intelligence firms.
Do you think the rise of “false flag” cyberattacks will make it impossible to hold nation-states accountable? Let us know in the comments or share this story with your network.
