Two sides of the identical ransomware gang

0
1342
Two sides of the identical ransomware gang


Two sides of the identical ransomware gang

Two new extortion gangs named ‘TommyLeaks’ and ‘SchoolBoys’ are concentrating on firms worldwide. However, there’s a catch — they’re each the identical ransomware gang.

Last month, safety researcher MalwareHunterTeam tweeted a couple of new extortion gang generally known as ‘TommyLeaks.’

This hacking group claims to breach company networks, steal information, and demand a ransom to not leak information. Ransom calls for seen by BleepingComputer vary from $400,000 to $700,000.

TommyLeaks ransom note
TommyLeaks ransom word
Source: BleepingComputer

In October, MalwareHunterTeam found one other new extortion gang named ‘SchoolBoys Ransomware Gang’ that claims to steal information and encrypt victims’ gadgets as a part of their assaults.

SchoolBoys Ransomware Gang ransom note
SchoolBoys Ransomware Gang ransom word
Source: BleepingComputer

BleepingComputer later discovered a pattern of the SchoolBoys ransomware encryptor [VirusTotal] and confirmed it was created utilizing the leaked LockBit 3.0 builder.

SchoolBoys ransomware using LockBit's encryptor
SchoolBoys ransomware utilizing LockBit’s encryptor
Source: BleepingComputer

The menace actors steal information throughout their assaults however would not have a identified public information leak web site presently.

While there was nothing linking the teams on the time, they each used the identical Tor chat system for his or her negotiation websites.

SchoolBoy's Ransomware Gang negotiation site
SchoolBoy’s Ransomware Gang negotiation web site
Source: BleepingComputer.com
TommyLeaks negotiation site
TommyLeaks negotiation web site
Source: BleepingComputer.com

Even extra curious, this identical chat system has solely been used earlier than by the Karakurt extortion group.

Two sides of the identical coin

This week, BleepingComputer has confirmed that each TommyLeaks and the SchoolBoys Ransomware Gang are, in actual fact, the identical extortion group.

In a SchoolBoys negotiation chat shared with BleepingComputer, the menace actors greet their sufferer as “TommyLeaks” of their makes an attempt to coerce a ransom cost.

While it’s unclear why they’re using two completely different names as a part of their operation, they could be attempting an identical strategy to that taken by Conti and Karakurt.

Earlier this 12 months, AdvIntel CEO Vitali Kremez instructed BleepingComputer that Karakurt was a part of the Conti cybercrime syndicate.

When Conti’s ransomware encryptor was blocked in assaults, the hackers extorted the sufferer utilizing the already stolen information underneath the Karakurt identify fairly than the Conti model.

To take it one step additional, because the TommyLeaks/SchoolBoys group makes use of the chat system as Karakurt, we could also be seeing a rebrand of the Conti offshoot into these newer manufacturers.

While it’s too quickly to inform if that is what is happening, the extortion group is one which enterprises must control as they’re concentrating on entities of all sizes.



LEAVE A REPLY

Please enter your comment!
Please enter your name here