New Ransomware-as-a-Service ShinySp1d3r Emerges from ShinyHunters

An in-development build of the ShinySp1d3r ransomware-as-a-service platform has emerged, offering a preview of its extortion operation. ShinySp1d3r is being developed by threat actors associated with the ShinyHunters and Scattered Spider groups, who have previously utilized other ransomware's encryptors.

According to Bleeping Computer, these groups are now creating their own ransomware to conduct attacks independently. The news broke via a Telegram channel where the group 'Scattered Lapsus$ Hunters' attempted to extort victims from Salesforce and Jaguar Land Rover.

A sample of the ShinySp1d3r encryptor was uploaded to VirusTotal, allowing researchers to analyze its capabilities. Notably, ShinySp1d3r is being developed from scratch, unlike other ransomware that often uses leaked codebases.

Its features include the ability to hook into the EtwEventWrite function to prevent logging in the Windows Event Viewer, kill processes that might hinder file encryption, and fill free space to overwrite deleted files.

The encryptor can propagate to other devices on the local network through methods like creating a service or using Windows Management Instrumentation. ShinySp1d3r encrypts files with the ChaCha20 algorithm, utilizing a unique RSA-2048 protected private key.

Each encrypted file carries a header indicating its encryption status and holds metadata. Victims will find a ransom note in every folder, detailing the attack and instructions for negotiation, along with a placeholder Tor link for data leaks.

The ransom note states that victims have three days to initiate a dialogue before the attack is made public. Additionally, the malware sets a Windows wallpaper to alert victims about the encryption. Current builds of ShinySp1d3r are Windows-based, but ShinyHunters claim they are close to completing versions for Linux and ESXi, with a lightweight version also in development.

ShinyHunters assert that they will not target healthcare entities, a claim often made by ransomware groups that may not always be honored. As with many ransomware operations, attacks against Russia and CIS countries are reportedly off-limits due to potential law enforcement complications.

The emergence of ShinySp1d3r exemplifies the evolving landscape of cybercrime, emphasizing the necessity for organizations to stay alert against new threats.