The Rise of ‘Scattered Lapsus ShinyHunters’: A New Breed of Cyber Extortion
A particularly aggressive data ransom gang, known as Scattered Lapsus ShinyHunters (SLSH), is redefining the playbook for cyber extortion. Unlike traditional ransomware operations focused primarily on data encryption, SLSH employs a disturbing combination of data theft, harassment, threats, and even “swatting” – falsely reporting emergencies to trigger armed police responses at victims’ homes – to force payouts.
Beyond Ransomware: The Tactics of SLSH
SLSH distinguishes itself through its relentless and personal attacks. Even as many ransomware groups threaten to publish stolen data, SLSH escalates quickly, targeting executives and their families with threats of physical violence, launching denial-of-service attacks, and flooding victims with emails. This coordinated harassment, often conducted through ephemeral Telegram channels, aims to overwhelm organizations and push them towards payment.
According to Allison Nixon, director of research at Unit 221B, SLSH’s approach differs significantly from more established, Russia-based ransomware groups. These groups often operate with a degree of predictability, offering a semblance of assurance that data will be deleted upon payment. SLSH, although, appears uninterested in building such a reputation.
The Com Connection: A Network of Cybercrime
A key factor in understanding SLSH’s erratic behavior lies in its origins within “The Com” – a sprawling network of cybercrime-focused Discord and Telegram communities. This ecosystem fosters collaboration but also breeds infighting, betrayal, and instability. Nixon notes that members of SLSH frequently engage in disputes and sabotage, hindering their ability to operate as a cohesive and professional criminal organization.
This dynamic resembles violent sextortion schemes, where stolen damaging information is used to threaten release unless demands are met, with no guarantee of deletion. SLSH leverages this same tactic, promising data deletion without any technical basis for that assurance.
Phishing for Credentials: The Initial Access Vector
SLSH frequently gains initial access to victim networks through sophisticated phishing campaigns. Recent attacks, as highlighted by Google’s Mandiant, involve threat actors posing as IT staff and contacting employees to request Single Sign-On (SSO) credentials under the guise of MFA updates. This allows them to compromise accounts and steal sensitive data.
The group recently exploited a vulnerability in Gainsight, a Salesforce application, to access OAuth tokens and target hundreds of Salesforce environments. This incident underscores the growing risk posed by supply chain attacks and the importance of securing third-party applications.
The Media Manipulation Game
SLSH actively attempts to manipulate the media, seeking to amplify its threat and generate fear. This tactic, mirroring those used in sextortion, aims to maintain victims continuously worried about the consequences of non-compliance. The group frequently threatens journalists and cybersecurity professionals who investigate their activities.
Why Paying SLSH is a Bad Idea
Despite the intense pressure, experts strongly advise against paying SLSH. Nixon argues that engaging with the group beyond a firm “We’re not paying” response only encourages further harassment. Given the group’s history of broken promises and internal dysfunction, there is no guarantee that paying will result in data deletion or a cessation of attacks.
Future Trends and Implications
The emergence of groups like SLSH signals a concerning shift in the cyber threat landscape. Several trends are likely to emerge:
- Increased Personalization of Attacks: Expect more attacks targeting individuals within organizations, rather than solely focusing on infrastructure.
- Expansion of Extortion Tactics: Beyond data theft and threats, attackers may employ more sophisticated forms of coercion, such as manipulating public opinion or disrupting critical services.
- Greater Reliance on Social Engineering: Phishing and vishing attacks will become increasingly sophisticated, leveraging psychological manipulation to bypass security measures.
- Proliferation of “Ransomware-as-a-Service” Models: The Com-like ecosystems will likely continue to facilitate the sharing of tools and techniques, lowering the barrier to entry for aspiring cybercriminals.
- Targeting of SSO Platforms: Attacks on SSO platforms like Okta will likely increase, as they provide access to a wide range of applications and data.
FAQ
Q: What is “swatting”?
A: Swatting is the act of falsely reporting a serious emergency, such as a bomb threat or hostage situation, to trigger an armed police response at a target’s location.
Q: What is The Com?
A: The Com is a network of cybercrime-focused Discord and Telegram communities that facilitates collaboration and the sharing of tools and techniques among cybercriminals.
Q: Should I pay a ransom demand?
A: Experts strongly advise against paying ransom demands, as it encourages further criminal activity and does not guarantee data recovery or a cessation of attacks.
Q: How can I protect my organization from SLSH?
A: Implement robust security measures, including multi-factor authentication, employee training on phishing awareness, and regular security assessments.
Did you know? SLSH members often name-drop security researchers and journalists in their communications with victims, potentially as a tactic to intimidate or discredit them.
To learn more about protecting your organization from cyber threats, explore our resources on threat intelligence and incident response. Subscribe to our newsletter for the latest updates on the evolving cyber landscape.
