ShinyHunters Unleash ShinySp1d3r Ransomware-as-a-Service
▼ Summary
– ShinySp1d3r is an emerging ransomware-as-a-service platform created by threat actors associated with ShinyHunters, Scattered Spider, and Lapsus$ groups.
– The ransomware is built from scratch with unique features including process termination, free space overwriting, network propagation, and deletion of Shadow Volume Copies.
– It encrypts files using ChaCha20 with RSA-2048 protection and leaves ransom notes with negotiation instructions and a Tor leak site link.
– The operation is led by ShinyHunters under the Scattered LAPSUS$ Hunters brand but claims to prohibit attacks on healthcare sectors and CIS countries.
– Currently in development, the ransomware has Windows, Linux, and ESXi versions planned, with a faster “lightning version” also being created.
A new ransomware-as-a-service platform called ShinySp1d3r is currently under development by threat actors linked to the ShinyHunters and Scattered Spider cybercrime collectives. This emerging RaaS represents a strategic shift for these groups, who have historically relied on encryptors from established gangs like ALPHV/BlackCat and RansomHub. Now they are building their own bespoke operation to conduct and support attacks directly.
The existence of this upcoming platform first appeared on a Telegram channel operated by individuals identifying as “Scattered Lapsus$ Hunters,” a name combining three prominent threat groups. These actors were actively attempting to extort victims of data theft incidents involving companies such as Salesforce and Jaguar Land Rover.
Security researchers obtained a sample of the ShinySp1d3r encryptor after it was uploaded to VirusTotal. Multiple subsequent uploads have allowed for deeper analysis of this new ransomware. It is important to clarify that while some early images display the name ‘Sh1nySp1d3r,’ the operation is officially using the ShinySp1d3r moniker, with future builds expected to standardize the name.
Unlike many modern ransomware families that repurpose leaked source code from LockBit or Babuk, the ShinyHunters group is constructing this encryptor entirely from the ground up. This bespoke development approach has resulted in a Windows encryptor packed with a range of features, some standard and others more novel.
According to an analysis conducted by ransomware recovery specialists at Coveware, the ShinySp1d3r encryptor includes several notable capabilities. It hooks the `EtwEventWrite` function to prevent logging activity to the Windows Event Viewer, a common tactic to evade detection. The malware terminates processes that could keep files open and block encryption, iterating through processes with file handles and killing them. A planned `forceKillUsingRestartManager` function that would leverage the Windows Restart Manager API is not yet active.
To complicate data recovery, the ransomware fills a drive’s free space by writing random data into temporary files named ‘wipe-[random].tmp,’ effectively overwriting deleted files. It also terminates a predefined list of processes and services, and it checks the available system memory to determine the optimal data chunk size for reading during the encryption process.
A particularly dangerous feature is its ability to propagate across a local network using multiple methods. These include creating a service to run the malware (`deployViaSCM`), executing the malware via Windows Management Instrumentation (`deployViaWMI`), and attempting to deploy through Group Policy Objects by creating a startup script (`attemptGPODeployment`).
The ransomware also incorporates anti-analysis measures, overwriting memory buffer contents to hinder forensic examination. It systematically deletes Shadow Volume Copies to eliminate a primary method for restoring encrypted files without paying a ransom. The encryptor actively searches for hosts with accessible network shares and attempts to encrypt those as well.
File encryption employs the ChaCha20 algorithm with the private key secured by RSA-2048 encryption. Interestingly, files are encrypted using different chunk sizes and offsets, though the reason for this variation and whether the data is stored in the file header remains unclear. Each encrypted file receives a unique extension, which the threat actors claim is generated by a mathematical formula.
Every encrypted file contains a header that starts with ‘SPDR’ and ends with ‘ENDS.’ This header stores critical metadata about the file, including the original filename and the encrypted private key.
Victims find a ransom note in every folder on their compromised system. The note explains that their files have been encrypted and data was exfiltrated. It provides instructions for negotiating a ransom and includes a TOX address for communication. A link to a Tor data leak site is also present, though it currently uses a non-functional placeholder URL.
The ransom note states, “This communication has been issued on behalf of the ShinySp1d3r group. It is intended exclusively for internal incident response personnel, technical leadership, or designated external advisors. A critical encryption event has taken place within your infrastructure. Certain digital assets have become inaccessible, and selected data was securely mirrored. The goal of this message is not disruption, but to provide your team with a confidential opportunity to resolve the situation efficiently and permanently.”
Victims are given a three-day window to initiate negotiations before the attackers threaten to publish the stolen data on their leak site. In addition to the notes, the encryptor changes the Windows desktop wallpaper to a warning message directing the user to read the ransom note.
While the currently available sample is a Windows encryptor, ShinyHunters claim to have completed a command-line interface build with runtime configuration. They also report being close to finalizing versions for Linux and ESXi systems. A separate “lightning version” is reportedly in development, described as a pure assembly variant optimized for speed, similar to the LockBit Green locker.
As this is a debug build of ransomware still in development, more features will likely be incorporated in future releases. The RaaS operation itself will be managed by the ShinyHunters group under the “Scattered LAPSUS$ Hunters” brand, reflecting the collaborative nature of these threat actors.
The group asserts that their encryptor cannot be used to target organizations in the healthcare sector, including pharmaceutical companies, hospitals, clinics, and insurance providers. However, similar promises from other ransomware gangs have often been broken. Mirroring policies of other operations, attacks against Russia and other CIS countries are also prohibited, a common rule since many affiliates originate from these regions and wish to avoid local law enforcement attention.
It is worth noting that the ransom note’s content is hard-coded into each specific build of the encryptor.
(Source: Bleeping Computer)
