Two new extortion gangs named 'TommyLeaks' and 'SchoolBoys' are targeting companies worldwide. However, there is a catch — they are both the same ransomware gang.
Last month, security researcher MalwareHunterTeam tweeted about a new extortion gang known as 'TommyLeaks.'
This hacking group claims to breach corporate networks, steal data, and demand a ransom not to leak data. Ransom demands seen by BleepingComputer range from $400,000 to $700,000.
TommyLeaks ransom note - Source: BleepingComputer
In October, MalwareHunterTeam discovered another new extortion gang named ‘SchoolBoys Ransomware Gang’ that claims to steal data and encrypt victims’ devices as part of their attacks.
SchoolBoys Ransomware Gang ransom note - Source: BleepingComputer
BleepingComputer later found a sample of the SchoolBoys ransomware encryptor [VirusTotal] and confirmed it was created using the leaked LockBit 3.0 builder.
SchoolBoys ransomware using LockBit's encryptor - Source: BleepingComputer
The threat actors steal data during their attacks but do not have a known public data leak site at this time.
While there was nothing linking the groups at the time, they both used the same Tor chat system for their negotiation sites.
|
SchoolBoy's Ransomware Gang negotiation site - Source: BleepingComputer.com
|
|
TommyLeaks negotiation site - Source: BleepingComputer.com
Even more curious, this same chat system has only been used before by the Karakurt extortion group.
Two sides of the same coin
This week, BleepingComputer has confirmed that both TommyLeaks and the SchoolBoys Ransomware Gang are, in fact, the same extortion group.
In a SchoolBoys negotiation chat shared with BleepingComputer, the threat actors greet their victim as "TommyLeaks" in their attempts to coerce a ransom payment.
While it is unclear why they are utilizing two different names as part of their operation, they may be trying a similar approach to that taken by Conti and Karakurt.
Earlier this year, AdvIntel CEO Vitali Kremez told BleepingComputer that Karakurt was part of the Conti cybercrime syndicate.
When Conti's ransomware encryptor was blocked in attacks, the hackers extorted the victim using the already stolen data under the Karakurt name rather than the Conti brand.
To take it one step further, as the TommyLeaks/SchoolBoys group uses the chat system as Karakurt, we may be seeing a rebrand of the Conti offshoot into these newer brands.
While it is too soon to tell if this is what is occurring, the extortion group is one that enterprises need to keep an eye on as they are targeting entities of all sizes.
- Karlston
-
1
Recommended Comments
There are no comments to display.
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.