An in-development build of the upcoming ShinySp1d3r ransomware-as-a-service platform has surfaced, offering a preview of the upcoming extortion operation.
ShinySp1d3r is the name of an emerging RaaS created by threat actors associated with the ShinyHunters and Scattered Spider extortion groups.
These threat actors have traditionally used other ransomware gangs’ encryptors in attacks, including ALPHV/BlackCat, Qilin, RansomHub, and DragonForce, but are now creating their own operation to deploy attacks themselves and their affiliates.
The article continues:
News of the upcoming RaaS first came to light on a Telegram channel, where threat actors calling themselves “Scattered Lapsus$ Hunters,” from the names of the three gangs forming the collective (Scattered Spider, Lapsus$, and ShinyHunters), were attempting to extort victims of data theft at Salesforce and Jaguar Land Rover (JLR).
The ShinySp1d3r encryptorBleepingComputer discovered a sample of the ShinySp1d3r after it was uploaded to VirusTotal. Since then, additional samples have been uploaded, allowing researchers to analyze the upcoming ransomware encryptor.
They also tell Bleeping that they will not target Hospitals, Pharmacies and other targets like Russia which could have law enforcement on them. As for hospitals and pharmacies, the article does claim that other gangs have said this and went back on their promise and I think this group will do the same.
Even though Shiny Hunters will develop and run the organization, I completely call bull shit when it comes to this crap. Nobody tells the fucking truth in this field, keep your guard up.
They are building their own encryptor which does a bunch of stuff, made available in a multilist within the article.
When encrypting files, the ransomware uses the ChaCha20 encryption algorithm with the private key protected using RSA-2048. Each file will have its own unique extension as shown in the folder below, which ShinyHunters claimed to BleepingComputer was based on a mathematical formula.
This sounds much more sophistocated than other encryption stuff, which I’m not too familiar with.
Each encrypted file contains a file header that begins with SPDR and ends with ENDS, as shown in the image below. This header contains information about the encrypted file, including the filename, the encrypted private key, and other metadata.
Every folder on the encrypted device will contain a ransom note, currently hardcoded to R3ADME_1Vks5fYe.txt, that includes information on what happened to a victim’s files, how to negotiate the ransom, and a TOX address for communications.
The ransom note also includes a link to the Tor data leak site, but currently has a placeholder onion URL that is not valid.
The article then talks about the ransom note.
The ransom note also includes a link to the Tor data leak site, but currently has a placeholder onion URL that is not valid.
“This communication has been issued on behalf of the ShinySp1d3r group. It is intended exclusively for internal incident response personnel, technical leadership, or designated external advisors,” begins the ransom note.
“A critical encryption event has taken place within your infrastructure. Certain digital assets have become inaccessible, and selected data was securely mirrored. The goal of this message is not disruption, but to provide your team with a confidential opportunity to resolve the situation efficiently and permanently.”
The ransom note goes on to say that victims have three days to begin negotiations before the attack is made public on the data leak site.
In addition to the ransom notes, the encryptor will also set a Windows wallpaper that warns the victim of what happened and urges them to read the ransom note.
While BleepingComputer only obtained the Windows encryptor, ShinyHunters says they have completed a CLI build with runtime configuration and are close to finishing versions for Linux and ESXi. They also said that a separate “lightning version” is in development, optimized for speed.
“We’re also working on a “lightning version” pure ASM, its like lockbit green – another windows locker variant but in pure assembly and its pretty simple,” ShinyHunters told BleepingComputer.
There’s a lot more here, let me know what you think.
Meet ShinySp1d3r: New Ransomware-as-a-Service created by ShinyHunters is the article.
Discover more from The Technology blog and podcast
Subscribe to get the latest posts sent to your email.