A prolific knowledge ransom gang that calls itself Scattered Lapsus ShinyHunters (SLSH) has a particular playbook when it seeks to extort fee from sufferer corporations: Harassing, threatening and even swatting executives and their households, all whereas notifying journalists and regulators in regards to the extent of the intrusion. Some victims reportedly are paying — maybe as a lot to comprise the stolen knowledge as to cease the escalating private assaults. However a prime SLSH professional warns that participating in any respect past a “We’re not paying” response solely encourages additional harassment, noting that the group’s fractious and unreliable historical past means the one profitable transfer is to not pay.
Picture: Shutterstock.com, @Mungujakisa
In contrast to conventional, extremely regimented Russia-based ransomware affiliate teams, SLSH is an unruly and considerably fluid English-language extortion gang that seems tired of constructing a popularity of constant conduct whereby victims may need some measure of confidence that the criminals will hold their phrase if paid.
That’s in line with Allison Nixon, director of analysis on the New York Metropolis based mostly safety consultancy Unit 221B. Nixon has been carefully monitoring the prison group and particular person members as they bounce between varied Telegram channels used to extort and harass victims, and he or she stated SLSH differs from conventional knowledge ransom teams in different necessary ways in which argue in opposition to trusting them to do something they are saying they’ll do — corresponding to destroying stolen knowledge.
Like SLSH, many conventional Russian ransomware teams have employed high-pressure ways to power fee in trade for a decryption key and/or a promise to delete stolen knowledge, corresponding to publishing a darkish internet shaming weblog with samples of stolen knowledge subsequent to a countdown clock, or notifying journalists and board members of the sufferer firm. However Nixon stated the extortion from SLSH shortly escalates manner past that — to threats of bodily violence in opposition to executives and their households, DDoS assaults on the sufferer’s web site, and repeated email-flooding campaigns.
SLSH is understood for breaking into corporations by phishing staff over the cellphone, and utilizing the purloined entry to steal delicate inner knowledge. In a January 30 weblog submit, Google’s safety forensics agency Mandiant stated SLSH’s most up-to-date extortion assaults stem from incidents spanning early to mid-January 2026, when SLSH members pretended to be IT workers and referred to as staff at focused sufferer organizations claiming that the corporate was updating MFA settings.
“The menace actor directed the workers to victim-branded credential harvesting websites to seize their SSO credentials and MFA codes, after which registered their very own gadget for MFA,” the weblog submit defined.
Victims typically first be taught of the breach when their model title is uttered on no matter ephemeral new public Telegram group chat SLSH is utilizing to threaten, extort and harass their prey. In keeping with Nixon, the coordinated harassment on the SLSH Telegram channels is a part of a well-orchestrated technique to overwhelm the sufferer group by manufacturing humiliation that pushes them over the brink to pay.
Nixon stated a number of executives at focused organizations have been topic to “swatting” assaults, whereby SLSH communicated a phony bomb menace or hostage scenario on the goal’s deal with within the hopes of eliciting a closely armed police response at their residence or place of job.
“A giant a part of what they’re doing to victims is the psychological facet of it, like harassing executives’ youngsters and threatening the board of the corporate,” Nixon advised KrebsOnSecurity. “And whereas these victims are getting extortion calls for, they’re concurrently getting outreach from media retailers saying, ‘Hey, do you’ve got any feedback on the unhealthy issues we’re going to jot down about you.”
Nixon argues that nobody ought to negotiate with SLSH as a result of the group has demonstrated a willingness to extort victims based mostly on guarantees that it has no intention to maintain. Nixon factors out that every one of SLSH’s identified members hail from The Com, shorthand for a constellation of cybercrime-focused Discord and Telegram communities which function a type of distributed social community that facilitates prompt collaboration.
Nixon stated Com-based extortion teams are inclined to instigate feuds and drama between group members, resulting in mendacity, betrayals, credibility destroying conduct, backstabbing, and sabotaging one another.
“With this sort of ongoing dysfunction, typically compounding by substance abuse, these menace actors typically aren’t capable of act with the core aim in thoughts of finishing a profitable, strategic ransom operation,” Nixon stated. “They frequently lose management with outbursts that put their technique and operational safety in danger, which severely limits their capacity to construct an expert, scalable, and complicated prison group community for continued profitable ransoms – in contrast to different, extra tenured {and professional} prison organizations centered on ransomware alone.”
Intrusions from established ransomware teams usually focus on encryption/decryption malware that principally stays on the affected machine. In distinction, Nixon stated, ransom from a Com group is commonly structured the identical as violent sextortion schemes in opposition to minors, whereby members of The Com will steal damaging data, threaten to launch it, and “promise” to delete it if the sufferer complies with none assure or technical proof level that they may hold their phrase. She writes:
The SLSH group steals a major quantity of company knowledge, and on the day of issuing the ransom notification, they line up a variety of harassment assaults to be delivered concurrently with the ransom. This could embrace swatting, DDOS, electronic mail/SMS/name floods, damaging PR, complaints despatched to authority figures in and above the corporate, and so forth. Then, throughout the negotiation course of, they lay on the stress with extra harassment- by no means permitting an excessive amount of time to go earlier than a brand new harassment assault.
What they negotiate for is the promise to not leak the information if you happen to pay the ransom. This promise locations loads of belief within the extorter, as a result of they can not show they deleted the information, and we consider they don’t intend to delete the information. Paying offers them important details about the worth of the stolen dataset which we consider will likely be helpful for fraud operations after this wave is full.
A key part of SLSH’s efforts to persuade victims to pay, Nixon stated, includes manipulating the media into hyping the menace posed by this group. This method additionally borrows a web page from the playbook of sextortion assaults, she stated, which inspires predators to maintain targets repeatedly engaged and worrying in regards to the penalties of non-compliance.
“On days the place SLSH had no substantial prison ‘win’ to announce, they centered on saying loss of life threats and harassment to maintain legislation enforcement, journalists, and cybercrime trade professionals centered on this group,” she stated.
An excerpt from a sextortion tutorial from a Com-based Telegram channel. Picture: Unit 221B.
Nixon is aware of a factor or two about being threatened by SLSH: For the previous a number of months, the group’s Telegram channels have been replete with threats of bodily violence in opposition to her, in opposition to Yours Really, and in opposition to different safety researchers. These threats, she stated, are simply one other manner the group seeks to generate media consideration and obtain a veneer of credibility, however they’re helpful as indicators of compromise as a result of SLSH members have a tendency to call drop and malign safety researchers even of their communications with victims.
“Look ahead to the next behaviors of their communications to you or their public statements,” Nixon stated. “Repeated abusive mentions of Allison Nixon (or “A.N”), Unit 221B, or cybersecurity journalists—particularly Brian Krebs—or every other cybersecurity worker, or cybersecurity firm. Any threats to kill, or commit terrorism, or violence in opposition to inner staff, cybersecurity staff, investigators, and journalists.”
Unit 221B says that whereas the stress marketing campaign throughout an extortion try could also be traumatizing to staff, executives, and their members of the family, coming into into drawn-out negotiations with SLSH incentivizes the group to extend the extent of hurt and threat, which may embrace the bodily security of staff and their households.
“The breached knowledge won’t ever return to the best way it was, however we are able to guarantee you that the harassment will finish,” Nixon stated. “So, your determination to pay must be a separate difficulty from the harassment. We consider that if you separate these points, you’ll objectively see that the most effective plan of action to guard your pursuits, in each the brief and long run, is to refuse fee.”
