A new wave of data ransom attacks is being carried out by a prolific group known as Scattered Lapsus ShinyHunters (SLSH), distinguished by a particularly aggressive playbook that extends beyond typical data theft and extortion. Unlike many ransomware operations, SLSH focuses on harassment, threats – including swatting – and leveraging media attention to pressure victims into paying, rather than encrypting data.
According to Allison Nixon, director of research at Unit 221B, SLSH differs significantly from more traditional, Russia-based ransomware groups. “Unlike traditional, highly regimented Russia-based ransomware affiliate groups, SLSH is an unruly and somewhat fluid English-language extortion gang that appears uninterested in building a reputation of consistent behavior whereby victims might have some measure of confidence that the criminals will keep their word if paid,” she explained. This lack of predictability, combined with a history of broken promises, is a key reason why experts advise against engaging with the group.
The group’s tactics involve initially gaining access to corporate networks through phishing attacks, often impersonating IT staff to steal employee credentials. A blog post from Google’s Mandiant security forensics team detailed a recent method where SLSH members contacted employees claiming to be updating Multi-Factor Authentication (MFA) settings. They then directed victims to credential harvesting sites designed to capture Single Sign-On (SSO) credentials and MFA codes, even registering their own devices for MFA access.
Once inside a network, SLSH steals sensitive internal data and then announces the breach on ephemeral Telegram channels, initiating a coordinated harassment campaign. This campaign is designed to overwhelm the victim organization and create a sense of panic, pushing them towards payment. The harassment extends beyond simple extortion demands, encompassing threats of physical violence against executives and their families, Distributed Denial of Service (DDoS) attacks on company websites, and repeated email and SMS flooding.
Perhaps most disturbingly, SLSH has been known to “swat” executives – falsely reporting a bomb threat or hostage situation at their home or workplace to elicit a heavily armed police response. Nixon noted that multiple executives at targeted organizations have been subjected to these attacks. “A big part of what they’re doing to victims is the psychological aspect of it, like harassing executives’ kids and threatening the board of the company,” she told KrebsOnSecurity.
Adding to the pressure, SLSH proactively contacts journalists, alerting them to the breach and prompting media inquiries to the victim organization while the extortion attempt is underway. This coordinated media manipulation is intended to further damage the victim’s reputation and increase the pressure to pay. According to Nixon, this tactic mirrors those used in violent sextortion schemes, aiming to keep victims continuously engaged and fearful of the consequences of non-compliance.
SLSH operates within a larger ecosystem known as “The Com,” described as a constellation of cybercrime-focused Discord and Telegram communities. This network facilitates instant collaboration and allows members to easily shift between different roles and projects. The Com is characterized by internal feuds, betrayals, and a general lack of stability, which Nixon argues further undermines any trust that victims might place in SLSH’s promises.
“With this type of ongoing dysfunction, often compounding by substance abuse, these threat actors often aren’t able to act with the core goal in mind of completing a successful, strategic ransom operation,” Nixon wrote in a blog post published today, . “They continually lose control with outbursts that put their strategy and operational security at risk, which severely limits their ability to build a professional, scalable, and sophisticated criminal organization network for continued successful ransoms – unlike other, more tenured and professional criminal organizations focused on ransomware alone.”
The extortion tactics employed by SLSH are fundamentally different from traditional ransomware, which typically focuses on encrypting data and demanding a ransom for its decryption. Instead, SLSH’s approach more closely resembles violent sextortion schemes, where stolen information is used to threaten victims with public exposure unless they comply with demands. There is no guarantee that stolen data will be deleted, even if a ransom is paid.
Unit 221B advises against negotiating with SLSH, arguing that any engagement beyond a firm “We’re not paying” response only incentivizes further harassment and escalation. The firm emphasizes that while the pressure campaign may be traumatizing, entering into negotiations increases the risk of harm to employees and their families. “The breached data will never go back to the way it was, but we can assure you that the harassment will end,” Nixon said. “So, your decision to pay should be a separate issue from the harassment. We believe that when you separate these issues, you will objectively see that the best course of action to protect your interests, in both the short and long term, is to refuse payment.”
Nixon herself has been the target of threats from SLSH, with the group’s Telegram channels filled with abusive mentions and threats of violence against her and other security researchers. She notes that these threats are often used to generate media attention and create a false sense of credibility, but can also serve as indicators of compromise, as SLSH members frequently name-drop and malign security professionals in their communications with victims.
Organizations should be vigilant for specific behaviors in communications from SLSH, including repeated abusive mentions of Allison Nixon, Unit 221B, or cybersecurity journalists like Brian Krebs, as well as any threats of violence or terrorism against employees, investigators, or journalists.
