Quick Read
- A data ransom gang, SLSH, is using extreme personal threats and swatting against executives and their families.
- The group notifies journalists and regulators about breaches, escalating pressure beyond typical extortion.
- Cybersecurity experts advise victims to refuse payment entirely, as engagement can fuel further harassment.
NEW YORK (Azat TV) – A sophisticated data ransom gang, operating under the name Scattered Lapsus ShinyHunters (SLSH), has adopted a severe and personal modus operandi, targeting executives and their families with harassment, threats, and even swatting incidents. The group also notifies journalists and regulators about data breaches, with some victims reportedly paying to contain stolen data and halt escalating personal attacks. However, cybersecurity experts caution that any interaction beyond a firm refusal to pay can embolden the group.
SLSH’s Unconventional Extortion Methods
Unlike traditional, highly structured ransomware affiliate groups, SLSH operates as an unruly, fluid English-language extortion outfit. Allison Nixon, director of research at Unit 221B, notes that SLSH shows little interest in establishing a consistent reputation, making trust in their promises—such as destroying stolen data—unreliable. This contrasts with many Russian-based groups that, while employing high-pressure tactics like dark web shaming blogs, often maintain a degree of predictable behavior.
Escalation Beyond Data Breaches
Nixon explains that SLSH’s extortion tactics quickly move beyond typical data theft and shaming. The group engages in threats of physical violence against executives and their families, initiates Distributed Denial-of-Service (DDoS) attacks on victim websites, and conducts persistent email-flooding campaigns. These actions are designed to overwhelm and humiliate target organizations, pushing them toward payment.
Phishing and Credential Harvesting
SLSH is known to breach companies by phishing employees over the phone, impersonating IT staff to steal sensitive internal data. In a January 30 advisory, Google’s security firm Mandiant detailed SLSH’s recent attacks, which involved actors posing as IT personnel to update Multi-Factor Authentication (MFA) settings. The attackers directed employees to fake credential harvesting sites to capture Single Sign-On (SSO) credentials and MFA codes, subsequently registering their own devices for MFA.
Psychological Warfare and Swatting Attacks
Victims often discover a breach when their company’s name appears in SLSH’s ephemeral Telegram group chats. Nixon highlights that the coordinated harassment is a deliberate strategy to manufacture humiliation and psychological distress. Multiple executives at targeted organizations have reportedly been subjected to “swatting” attacks, where SLSH fabricates bomb threats or hostage situations at their addresses, aiming to provoke a large-scale police response.
The aggressive and deeply personal nature of SLSH’s attacks signifies a concerning evolution in cyber extortion tactics, moving beyond financial motives to inflict significant psychological harm and societal disruption on victims and their families.