Article Details

Meet ShinySp1d3r: New Ransomware-as-a-Service created by ShinyHunters. An in-development build of the upcoming ShinySp1d3r ransomware-as-a-service platform has surfaced, offering a preview of the upcoming extortion operation. ShinySp1d3r is the name of an emerging RaaS created by threat actors associated with the ShinyHunters and Scattered Spider extortion groups. These threat actors have traditionally used other ransomware gangs' encryptors in attacks, including ALPHV/BlackCat, Qilin, RansomHub, and DragonForce, but are now creating their own operation to deploy attacks themselves and their affiliates. News of the upcoming RaaS first came to light on a Telegram channel, where threat actors calling themselves "Scattered Lapsus$ Hunters," from the names of the three gangs forming the collective (Scattered Spider, Lapsus$, and ShinyHunters), were attempting to extort victims of data theft at Salesforce and Jaguar Land Rover (JLR). The ShinySp1d3r encryptor BleepingComputer discovered a sample of the ShinySp1d3r after it was uploaded to VirusTotal. Since then, additional samples have been uploaded, allowing researchers to analyze the upcoming ransomware encryptor. Note: While some of our images show the name as 'Sh1nySp1d3r,' BleepingComputer has been told that the RaaS is operating under ShinySp1d3r and the name will be changed in future builds. The encryptor is developed by the ShinyHunters extortion group, which is building it from scratch, rather than utilizing a previously leaked codebase like LockBit or Babuk. As a result, the ShinySp1d3r Windows encryptor offers many features, some common to other encryptors and others not seen before. According to analysis shared with BleepingComputer by analysts at ransomware recovery firm Coveware, these features include: When encrypting files, the ransomware uses the ChaCha20 encryption algorithm with the private key protected using RSA-2048. Each file will have its own unique extension as shown in the folder below, which ShinyHunters claimed to BleepingComputer was based on a mathematical formula. Each encrypted file contains a file header that begins with SPDR and ends with ENDS, as shown in the image below. This header contains information about the encrypted file, including the filename, the encrypted private key, and other metadata. Every folder on the encrypted device will contain a ransom note, currently hardcoded to R3ADME_1Vks5fYe.txt, that includes information on what happened to a victim's files, how to negotiate the ransom, and a TOX address for communications. The ransom note also includes a link to the Tor data leak site, but currently has a placeholder onion URL that is not valid. "This communication has been issued on behalf of the ShinySp1d3r group. It is intended exclusively for internal incident response personnel, technical leadership, or designated external advisors," begins the ransom note. "A critical encryption event has taken place within your infrastructure. Certain digital assets have become inaccessible, and selected data was securely mirrored. The goal of this message is not disruption, but to provide your team with a confidential opportunity to resolve the situation efficiently and permanently." The ransom note goes on to say that victims have three days to begin negotiations before the attack is made public on the data leak site. In addition to the ransom notes, the encryptor will also set a Windows wallpaper that warns the victim of what happened and urges them to read the ransom note. While BleepingComputer only obtained the Windows encryptor, ShinyHunters says they have completed a CLI build with runtime configuration and are close to finishing versions for Linux and ESXi. They also said that a separate "lightning version" is in development, optimized for speed. "We're also working on a "lightning version" pure ASM, its like lockbit green - another windows locker variant but in pure assembly and its pretty simple,” ShinyHunters told BleepingComputer. As this is a debug build of an in-development ransomware, we will likely see additional features added in the future. As for the RaaS operation itself, ShinyHunters says it will be run by their group under the Scattered LAPSUS$ Hunters name. "Yes, it will be lead by me/us 'ShinyHunters' but operated under the Scattered LAPSUS$ Hunters (SLH) brand, hence the name ShinySp1d3r, to demonstrate the 'alliance' or 'cooperation' between these groups," ShinyHunters told BleepingComputer. The threat actor also claims that any company in the healthcare sector, including pharmaceutical companies, hospitals, clinics, and insurance firms, cannot be targeted with their encryptor. However, BleepingComputer has been told this by other ransomware gangs in the past, many of whom later allowed those policies to be violated. Similar to other ransomware operations, ShinyHunters says attacks against Russia and other CIS countries are prohibited, as many affiliates will come from those regions and could become targets of law enforcement. The 2026 CISO Budget Benchmark It's budget season! Over 300 CISOs and security leaders have shared how they're planning, spending, and prioritizing for the year ahead. This report compiles their insights, allowing readers to benchmark strategies, identify emerging trends, and compare their priorities as they head into 2026. Learn how top leaders are turning investment into measurable impact.