Scattered LAPSUS$ Hunters cybercrime group appears to be shifting its operational tactics, according to Palo Alto Networks’ Unit 42. Analysts say recent activity on the group’s Telegram channel suggests that malicious actors are working on launching of their extortion-as-a-service (EaaS) operation.
Since early October, Unit 42 researchers have tracked discussions on the group’s private channel, including references to establishing an extortion-as-a-service (EaaS) platform. The model, which resembles ransomware-as-a-service (RaaS) but skips file encryption, may be a deliberate move to avoid drawing the attention of international law enforcement.
Over the summer, several members linked to the Scattered Spider threat actor were arrested in the UK, and two teenagers were taken into custody following the Kido cyberattack.
Unit 42 also observed references to a new ransomware strain potentially connected to the group. Telegram posts from October 4 discussed the testing of malware believed to be codenamed SHINYSP1D3R. However, as of now, the ransomware's existence and development status remain unverified. The effectiveness of the EaaS business model is also unclear.
The threat actors also posted an ad seeking insider access at organizations across a variety of industries, with primary interest in call centers, gaming companies, hosting providers, software-as-a-service (SaaS) and telecom organizations. These organizations would be based in countries such as the US, UK, Australia, Canada and France.
Scattered LAPSUS$ Hunters is considered part of The Com, a loosely organized network of cybercriminals that includes groups like Scattered Spider, ShinyHunters, and LAPSUS$. While the group had previously claimed in September that it was shutting down, many experts believe the announcement was an attempt at diversion amid increased law enforcement interest.