multiple personalities

TommyLeaks and SchoolBoys: Two sides of the same ransomware gang

Two new extortion gangs named ‘TommyLeaks’ and ‘SchoolBoys’ are targeting companies worldwide. However, there is a catch — they are both the same ransomware gang.

Last month, security researcher MalwareHunterTeam tweeted about a new extortion gang known as ‘TommyLeaks.’

This hacking group claims to breach corporate networks, steal data, and demand a ransom not to leak data. Ransom demands seen by BleepingComputer range from $400,000 to $700,000.

TommyLeaks ransom note

TommyLeaks ransom note
Source: BleepingComputer

In October, MalwareHunterTeam discovered another new extortion gang named ‘SchoolBoys Ransomware Gang’ that claims to steal data and encrypt victims’ devices as part of their attacks.

SchoolBoys Ransomware Gang ransom note

SchoolBoys ransomware using LockBit’s encryptor
Source: BleepingComputer

BleepingComputer later found a sample of the SchoolBoys ransomware encryptor [VirusTotal] and confirmed it was created using the leaked LockBit 3.0 builder.

SchoolBoys ransomware using LockBit's encryptor

SchoolBoys ransomware using LockBit’s encryptor
Source: BleepingComputer

The threat actors steal data during their attacks but do not have a known public data leak site at this time.

While there was nothing linking the groups at the time, they both used the same Tor chat system for their negotiation sites.

SchoolBoy's Ransomware Gang negotiation siteTommyLeaks negotiation site

SchoolBoy’s Ransomware Gang & TommyLeaks negotiation site

Even more curious, this same chat system has only been used before by the Karakurt extortion group.

Two sides of the same coin

This week, BleepingComputer has confirmed that both TommyLeaks and the SchoolBoys Ransomware Gang are, in fact, the same extortion group.

In a SchoolBoys negotiation chat shared with BleepingComputer, the threat actors greet their victim as “TommyLeaks” in their attempts to coerce a ransom payment.

While it is unclear why they are utilizing two different names as part of their operation, they may be trying a similar approach to that taken by Conti and Karakurt.

Earlier this year, AdvIntel CEO Vitali Kremez told BleepingComputer that Karakurt was part of the Conti cybercrime syndicate.

When Conti’s ransomware encryptor was blocked in attacks, the hackers extorted the victim using the already stolen data under the Karakurt name rather than the Conti brand.

To take it one step further, as the TommyLeaks/SchoolBoys group uses the chat system as Karakurt, we may be seeing a rebrand of the Conti offshoot into these newer brands.

While it is too soon to tell if this is what is occurring, the extortion group is one that enterprises need to keep an eye on as they are targeting entities of all sizes.

Leave a Comment

Your email address will not be published.