Two new extortion gangs named ‘TommyLeaks’ and ‘SchoolBoys’ are targeting companies worldwide. However, there is a catch — they are both the same ransomware gang.
Last month, security researcher MalwareHunterTeam tweeted about a new extortion gang known as ‘TommyLeaks.’
This hacking group claims to breach corporate networks, steal data, and demand a ransom not to leak data. Ransom demands seen by BleepingComputer range from $400,000 to $700,000.
In October, MalwareHunterTeam discovered another new extortion gang named ‘SchoolBoys Ransomware Gang’ that claims to steal data and encrypt victims’ devices as part of their attacks.
BleepingComputer later found a sample of the SchoolBoys ransomware encryptor [VirusTotal] and confirmed it was created using the leaked LockBit 3.0 builder.
The threat actors steal data during their attacks but do not have a known public data leak site at this time.
While there was nothing linking the groups at the time, they both used the same Tor chat system for their negotiation sites.
SchoolBoy’s Ransomware Gang negotiation site Source: BleepingComputer.com
TommyLeaks negotiation site Source: BleepingComputer.com
Even more curious, this same chat system has only been used before by the Karakurt extortion group.
Two sides of the same coin
This week, BleepingComputer has confirmed that both TommyLeaks and the SchoolBoys Ransomware Gang are, in fact, the same extortion group.
In a SchoolBoys negotiation chat shared with BleepingComputer, the threat actors greet their victim as “TommyLeaks” in their attempts to coerce a ransom payment.
Earlier this year, AdvIntel CEO Vitali Kremez told BleepingComputer that Karakurt was part of the Conti cybercrime syndicate.
When Conti’s ransomware encryptor was blocked in attacks, the hackers extorted the victim using the already stolen data under the Karakurt name rather than the Conti brand.
To take it one step further, as the TommyLeaks/SchoolBoys group uses the chat system as Karakurt, we may be seeing a rebrand of the Conti offshoot into these newer brands.
While it is too soon to tell if this is what is occurring, the extortion group is one that enterprises need to keep an eye on as they are targeting entities of all sizes.