Jump to content
  • TommyLeaks and SchoolBoys: Two sides of the same ransomware gang

    alf9872000

    • 418 views
    • 3 minutes
     Share


    • 418 views
    • 3 minutes

    Two new extortion gangs named 'TommyLeaks' and 'SchoolBoys' are targeting companies worldwide. However, there is a catch — they are both the same ransomware gang.

     

    Last month, security researcher MalwareHunterTeam tweeted about a new extortion gang known as 'TommyLeaks.'

     

    This hacking group claims to breach corporate networks, steal data, and demand a ransom not to leak data. Ransom demands seen by BleepingComputer range from $400,000 to $700,000.

     

    ransom-note-tommyleaks.jpg

    TommyLeaks ransom note - Source: BleepingComputer

     

    In October, MalwareHunterTeam discovered another new extortion gang named ‘SchoolBoys Ransomware Gang’ that claims to steal data and encrypt victims’ devices as part of their attacks.

     

    ransom-schoolboys.jpg

    SchoolBoys Ransomware Gang ransom note - Source: BleepingComputer

     

    BleepingComputer later found a sample of the SchoolBoys ransomware encryptor [VirusTotal] and confirmed it was created using the leaked LockBit 3.0 builder.

     

    schoolboys-encrypted-files.jpg

    SchoolBoys ransomware using LockBit's encryptor - Source: BleepingComputer

     

    The threat actors steal data during their attacks but do not have a known public data leak site at this time.

     

    While there was nothing linking the groups at the time, they both used the same Tor chat system for their negotiation sites.

     

    schoolboys-negotiation-site.jpg 

    SchoolBoy's Ransomware Gang negotiation site - Source: BleepingComputer.com

     

     

     

    tommyleaks-negotiation-site.jpg

    TommyLeaks negotiation site - Source: BleepingComputer.com

     

    Even more curious, this same chat system has only been used before by the Karakurt extortion group.

    Two sides of the same coin

    This week, BleepingComputer has confirmed that both TommyLeaks and the SchoolBoys Ransomware Gang are, in fact, the same extortion group.

     

    In a SchoolBoys negotiation chat shared with BleepingComputer, the threat actors greet their victim as "TommyLeaks" in their attempts to coerce a ransom payment.

     

    While it is unclear why they are utilizing two different names as part of their operation, they may be trying a similar approach to that taken by Conti and Karakurt.

     

    Earlier this year, AdvIntel CEO Vitali Kremez told BleepingComputer that Karakurt was part of the Conti cybercrime syndicate.

     

    When Conti's ransomware encryptor was blocked in attacks, the hackers extorted the victim using the already stolen data under the Karakurt name rather than the Conti brand.

     

    To take it one step further, as the TommyLeaks/SchoolBoys group uses the chat system as Karakurt, we may be seeing a rebrand of the Conti offshoot into these newer brands.

     

    While it is too soon to tell if this is what is occurring, the extortion group is one that enterprises need to keep an eye on as they are targeting entities of all sizes.

     

    Source


    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...