Scattered Lapsus$ Hunters extortion site goes dark: What’s next?

Is this really the end of the road for the notorious Scattered Lapsus$ Hunters ransomware alliance?

Last week, the extortion supergroup had its dark web and clearnet domains seized by police, the latest setback to befall the alliance that had threatened to release Salesforce data allegedly stolen from 39 companies, including Google, in a mass social engineering attack.

However, one of the group’s dark web sites remained accessible. As promised, on October 10 at 11.59 p.m. EDT, the group used it to leak data stolen from half a dozen companies, in what a Telegram message claimed would be the group’s parting shot before retirement.

The companies whose names appeared on the site until it disappeared late on Saturday were Qantas Airways, Vietnam Airlines, Albertsons Companies, GAP Inc, Fujifilm Holdings, and Engie Resources.

CSO Online has not directly verified the data posted on the leak site, but the number of records claimed to have been released ranged from 5.7 million records (153GB) for Qantas down to 537,000 (3GB) in the case of Engie Resources.

Group promises to return

Despite the leak, as well as uncertainty about the fate of other data that might have been taken during the campaign against Salesforce customers, last week’s operation suggests that police are more effectively disrupting the infrastructure used by some ransomware campaigns.

Despite this, in a characteristically mocking Telegram post attributed to Scattered Lapsus$ Hunters, the group promised it would return in 2026 with a new subscription-based “extortion-as-a-service” platform.

This would be “similar to how a RaaS [ransomware-as-a-service] program works but with no locking/encryption,” the group said in a message, since removed by Telegram.

Customers would be able to “use our name to extort your target” on the basis that the group’s brand would make ransomware negotiators more likely to respond.

Takedowns only slow activity

According to Jeremy Kirk, executive editor for cyber threat intelligence at research company Intel 471, police have been closing in on the individual groups represented in Scattered Lapsus$ Hunters for more than three years. This included arresting alleged members. Whether this damaged the group in the long run remained to be seen.

“Law enforcement has set precedents over the last few years by repeated take downs, and threat actors know it is riskier and riskier to administer these forums,” said Kirk. “From a cyber threat intelligence perspective, centralized forums provide much visibility into access brokering, data leaks and more.” However, he added, while “domain seizures are tactical victories, threat actors often have backups of their forum software and data and can launch the forums again.”

According to Kirk, “that activity doesn’t stop when forum infrastructure is disrupted, but scatters elsewhere to places such as Telegram, where it can be more challenging to follow.”

As long as other members remain at large, Kirk continues to be pessimistic that police action would do much beyond slowing activity for a while.

Stolen data remains at risk

Meanwhile, other data stolen during the Salesforce campaign will remain at risk. It’s highly likely that this will be leaked to other criminal enterprises at some point. It’s this simple asymmetry that has turned data breaches into a huge business: stolen data can never be un-stolen and exists in a breached state forever. This remains true whether a ransom is paid or not.

“We don’t expect these threat actors’ activity to abate, and they remain a real threat to enterprises due to their skill in social engineering, and intimate knowledge of helpdesk procedures and enterprise software supply chains,” said Kirk.

This points to another underlying problem that allows ransomware actors to resurrect themselves: they often know where the weaknesses in technology and processes lie before the defenders do. Why? To speculate, because criminals look for them, whereas defenders have reasons not to.

Those criminals are also joining forces to become more effective; Scattered Lapsus$ Hunters isn’t the only alliance in the cybercrime world. In another recent development, three of the biggest Russian ransomware operations, DragonForce, Qilin, and LockBit, announced that they’d formed a criminal cartel aimed at coordinating attacks and sharing resources in response to what they described as a “challenging” extortion environment.