Ethical Hacking News
ShinySp1d3r, a new ransomware-as-a-service (RaaS) platform, has emerged, posing a significant risk to individuals and organizations worldwide. This RaaS boasts advanced features, including encryption algorithms and propagation mechanisms, making it an essential threat to cybersecurity. Stay vigilant and take proactive measures to protect yourself from potential attacks.
A new ransomware-as-a-service (RaaS) platform called ShinySp1d3r has emerged, posing a significant risk to individuals and organizations worldwide.The RaaS is the brainchild of threat actors affiliated with the ShinyHunters and Scattered Spider extortion groups.ShinySp1d3r boasts advanced features, including encryption algorithms and propagation mechanisms.The ransomware includes a customizable ransom note and a TOX address for communications.The attackers claim that attacks against Russia and other CIS countries are prohibited, but there is no guarantee they will adhere to this rule.
November 19, 2025 - In a significant development in the realm of cybersecurity threats, a new ransomware-as-a-service (RaaS) platform has emerged, posing a substantial risk to individuals and organizations worldwide. Dubbed ShinySp1d3r, this RaaS is the brainchild of threat actors affiliated with the ShinyHunters and Scattered Spider extortion groups.
The emergence of ShinySp1d3r marks a significant shift in the tactics, techniques, and procedures (TTPs) employed by these groups. Traditionally, they have relied on leveraging existing ransomware gang's encryptors to carry out attacks. However, with ShinySp1d3r, they are taking a bold step towards creating their own operation, complete with its own encryption algorithm and propagation mechanisms.
A sample of the ShinySp1d3r Windows encryptor was recently uploaded to VirusTotal, allowing researchers to analyze its features and capabilities. According to analysis shared by Coveware, this RaaS boasts several advanced features, including:
- Hooking the EtwEventWrite function to prevent data from being logged to the Windows Event Viewer.
- Killing processes that keep a file open and preventing them from being encrypted by iterating over processes with a handle to the file and then killing them. The encryptor also has a 'forceKillUsingRestartManager' function that uses the Restart Manager API, but it is not implemented yet.
- Filling free space on a drive by writing random data into files called 'wipe-[random].tmp'. This is done to overwrite any deleted files, making them more challenging, if not impossible, to recover.
- Killing a hard-coded list of processes and services.
- Checking available memory to calculate the optimal amount of data to read at a time.
- Containing the ability to propagate to other devices on the local network through one of three methods: deploying via SCM (Creating a service to run the malware), deploying via WMI (Running the malware via WMI with Win32_Process.Create), or attempting GPO deployment (Creating a GPO startup script in scripts.ini to run the malware).
- Containing anti-analysis features and overwriting the contents of a memory buffer to prevent forensic analysis.
- Deleting Shadow Volume Copies to prevent them from being used to restore encrypted files.
- Searching for hosts with open network shares and attempting to encrypt them.
- Encrypting files with different chunk sizes and offsets. It is unclear why it does that, or whether this information is stored in an encrypted file header (more about that later).
The ShinySp1d3r ransomware also includes a ransom note, currently hardcoded to R3ADME_1Vks5fYe.txt, which contains information on what happened to a victim's files, how to negotiate the ransom, and a TOX address for communications. The note also includes a link to the Tor data leak site, although this is currently a placeholder onion URL that is not valid.
ShinyHunters claims that attacks against Russia and other CIS countries are prohibited, as many affiliates will come from those regions and could become targets of law enforcement. However, it is essential to note that previous ransomware groups have made similar claims before violating them.
In summary, ShinySp1d3r represents a significant threat to cybersecurity as it marks the emergence of a new RaaS platform with advanced features and capabilities. As with any new threat, it is crucial for individuals and organizations to stay vigilant and take proactive measures to protect themselves from potential attacks.
ShinySp1d3r, a new ransomware-as-a-service (RaaS) platform, has emerged, posing a significant risk to individuals and organizations worldwide. This RaaS boasts advanced features, including encryption algorithms and propagation mechanisms, making it an essential threat to cybersecurity. Stay vigilant and take proactive measures to protect yourself from potential attacks.
Related Information:
https://www.ethicalhackingnews.com/articles/New-Ransomware-as-a-Service-Emerges-ShinySp1d3r-Threatens-Cybersecurity-ehn.shtml
https://www.bleepingcomputer.com/news/security/meet-shinysp1d3r-new-ransomware-as-a-service-created-by-shinyhunters/
https://en.wikipedia.org/wiki/ShinyHunters
https://www.independent.co.uk/tech/google-data-breach-shinyhunters-cyber-attack-b2821097.html
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a
https://en.wikipedia.org/wiki/Scattered_Spider
Published: Wed Nov 19 08:11:59 2025 by llama3.2 3B Q4_K_M
