{"id":5366,"date":"2025-10-14T19:54:25","date_gmt":"2025-10-14T19:54:25","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=5366"},"modified":"2025-10-14T19:54:25","modified_gmt":"2025-10-14T19:54:25","slug":"scattered-lapsus-hunters-extortion-site-goes-dark-whats-next","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=5366","title":{"rendered":"Scattered Lapsus$ Hunters extortion site goes dark: What\u2019s next?"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

Is this really the end of the road for the notorious Scattered Lapsus$ Hunters ransomware alliance?<\/p>\n

Last week, the extortion supergroup had its dark web and clearnet domains seized by police<\/a>, the latest setback to befall the alliance that had threatened to release Salesforce data allegedly stolen from 39 companies, including Google<\/a>, in a mass social engineering attack.<\/p>\n

However, one of the group\u2019s dark web sites remained accessible. As promised, on October 10 at 11.59 p.m. EDT, the group used it to leak data stolen from half a dozen companies, in what a Telegram message<\/a> claimed would be the group\u2019s parting shot before retirement.<\/p>\n

The companies whose names appeared on the site until it disappeared late on Saturday were Qantas Airways<\/a>, Vietnam Airlines<\/a>, Albertsons Companies, GAP Inc, Fujifilm Holdings, and Engie Resources.<\/p>\n

CSO Online has not directly verified the data posted on the leak site, but the number of records claimed to have been released ranged from 5.7 million records (153GB) for Qantas down to 537,000 (3GB) in the case of Engie Resources.<\/p>\n

Group promises to return<\/h2>\n

Despite the leak, as well as uncertainty about the fate of other data that might have been taken during the campaign against Salesforce customers, last week\u2019s operation suggests that police are more effectively disrupting the infrastructure used by some ransomware campaigns.<\/p>\n

Despite this, in a characteristically mocking Telegram post<\/a> attributed to Scattered Lapsus$ Hunters, the group promised it would return in 2026 with a new subscription-based \u201cextortion-as-a-service\u201d platform.<\/p>\n

This would be \u201csimilar to how a RaaS [ransomware-as-a-service] program works but with no locking\/encryption,\u201d the group said in a message, since removed by Telegram.<\/p>\n

Customers would be able to \u201cuse our name to extort your target\u201d on the basis that the group\u2019s brand would make ransomware negotiators more likely to respond.<\/p>\n

Takedowns only slow activity<\/h2>\n

According to Jeremy Kirk<\/a>, executive editor for cyber threat intelligence at research company Intel 471, police have been closing in on the individual groups represented in Scattered Lapsus$ Hunters for more than three years. This included arresting alleged members<\/a>. Whether this damaged the group in the long run remained to be seen.<\/p>\n

\u201cLaw enforcement has set precedents over the last few years by repeated take downs, and threat actors know it is riskier and riskier to administer these forums,\u201d said Kirk. \u201cFrom a cyber threat intelligence perspective, centralized forums provide much visibility into access brokering, data leaks and more.\u201d However, he added, while \u201cdomain seizures are tactical victories, threat actors often have backups of their forum software and data and can launch the forums again.\u201d<\/p>\n

According to Kirk, \u201cthat activity doesn\u2019t stop when forum infrastructure is disrupted, but scatters elsewhere to places such as Telegram, where it can be more challenging to follow.\u201d<\/p>\n

As long as other members remain at large, Kirk continues to be pessimistic that police action would do much beyond slowing activity for a while.<\/p>\n

Stolen data remains at risk<\/h2>\n

Meanwhile, other data stolen during the Salesforce campaign will remain at risk. It\u2019s highly likely that this will be leaked to other criminal enterprises at some point. It\u2019s this simple asymmetry that has turned data breaches into a huge business: stolen data can never be un-stolen and exists in a breached state forever. This remains true whether a ransom is paid or not.<\/p>\n

\u201cWe don\u2019t expect these threat actors\u2019 activity to abate, and they remain a real threat to enterprises due to their skill in social engineering, and intimate knowledge of helpdesk procedures and enterprise software supply chains,\u201d said Kirk.<\/p>\n

This points to another underlying problem that allows ransomware actors to resurrect themselves: they often know where the weaknesses in technology and processes lie before the defenders do. Why? To speculate, because criminals look for them, whereas defenders have reasons not to.<\/p>\n

Those criminals are also joining forces to become more effective; Scattered Lapsus$ Hunters isn\u2019t the only alliance in the cybercrime world. In another recent development, three of the biggest Russian ransomware operations, DragonForce, Qilin, and LockBit, announced<\/a> that they\u2019d formed a criminal cartel aimed at coordinating attacks and sharing resources in response to what they described as a \u201cchallenging\u201d extortion environment.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

Is this really the end of the road for the notorious Scattered Lapsus$ Hunters ransomware alliance? Last week, the extortion supergroup had its dark web and clearnet domains seized by police, the latest setback to befall the alliance that had threatened to release Salesforce data allegedly stolen from 39 companies, including Google, in a mass […]<\/p>\n","protected":false},"author":0,"featured_media":5367,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-5366","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/5366"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=5366"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/5366\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/5367"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=5366"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=5366"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=5366"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}