Beyond Ransomware: Scattered LAPSUS$ Hunters Launches Encryption-Free Extortion-as-a-Service

Recent posts on the Telegram channel “SLSH 6.0” have enabled researchers from Unit 42 to trace the continued operations of the Scattered LAPSUS$ Hunters group — participants in an expanding digital extortion scheme linked to the Bling Libra and Muddled Libra projects. Since early October, the cybercriminals have been actively promoting their own encryption-free extortion platform, promising the release of a new malware strain and recruiting insiders with access to corporate infrastructures in various countries.

On October 10, the deadline for ransom payment, the operators published stolen data from six companies across the aviation, energy, and retail sectors. According to their posts, the archives contained names, birth dates, email addresses, phone numbers, and loyalty program identifiers. The following day, the attackers announced they would not release any additional data, hinting that some of the information obtained was too sensitive to disclose publicly. A few hours later, they declared a temporary suspension of operations until next year, vowing to return with new attacks.

Unit 42’s attempt to access the leak site listed in open sources proved unsuccessful — instead, researchers discovered a message addressed to a certain “James,” referencing the FBI and the group ShinyHunters, suggesting either an intentional shift in tactics or a brief retreat into the shadows.

One of the most notable moves by the criminals was the announcement of a new Extortion-as-a-Service (EaaS) model — similar to traditional ransomware-as-a-service operations but without the use of encryption. According to the group, their emphasis is on anonymity, professional negotiation practices, and reduced exposure to law enforcement risks. This approach indicates an attempt to remain in a legal gray area, avoiding the overtly criminal behaviors that draw the attention of intelligence agencies.

On October 5, the group also posted a recruitment notice for insiders, particularly employees of call centers, telecommunications firms, SaaS platforms, gaming studios, and hosting providers. Their primary focus appears to be on organizations based in the United States, the United Kingdom, Canada, Australia, and France. Similar recruitment efforts were observed earlier in May, during Unit 42’s analysis of Muddled Libra’s activities.

Finally, one day before the ransom deadline, the attackers announced the development of a new ransomware strain dubbed SHINYSP1D3R. Based on their posts, it is touted as the “GTA 6 of ransomware” — promising originality in psychological pressure tactics and a focus on brand dominance. It remains unclear whether active development is underway or if the announcement serves merely as a diversionary maneuver.

Unit 42 warns that this new EaaS model, despite not directly damaging IT infrastructure, could inflict severe reputational harm on victims. The firm advises organizations to prepare response playbooks—similar to those used for ransomware incidents—by involving external experts for threat validation, potential negotiations, and data leak mitigation.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy