New Ransomware: ShinySp1d3r

A newly discovered ransomware operation known as ShinySp1d3r has emerged from threat actors connected to two well-known extortion collectives — ShinyHunters and Scattered Spider.

Unlike many other ransomware groups that rely on leaked source code from established operations such as LockBit or Babuk, the developers behind ShinySp1d3r are reportedly building their encryptor entirely from the ground up. This marks a notable shift for these threat actors, who have historically leveraged encryptors from other ransomware gangs — including ALPHV/BlackCat, Qilin, RansomHub, and DragonForce — to carry out their attacks.

The collective behind this new operation appears to be a merger of three notorious cybercriminal groups: Scattered Spider, Lapsus$, and ShinyHunters. They have been referring to themselves as "Scattered Lapsus$ Hunters," drawing on the names of all three organizations. The group first gained attention through a Telegram channel where members were seen attempting to extort victims from high-profile companies, including Salesforce and Jaguar Land Rover (JLR), following apparent data theft incidents.

An early development build of the ShinySp1d3r ransomware-as-a-service (RaaS) platform was identified after samples were uploaded to VirusTotal, allowing security researchers to begin analyzing the encryptor's capabilities and structure. Multiple subsequent uploads have further enabled deeper examination of the malware.

It is worth noting that while early screenshots and materials reference the name as 'Sh1nySp1d3r,' the operation is officially being branded as ShinySp1d3r, with the naming expected to be corrected in future builds of the platform.

The platform is being designed not only for direct use by the group's own members but also to support a broader affiliate model, allowing other cybercriminals to deploy the ransomware as part of an expanding extortion ecosystem.

The ShinySp1d3r ransomware is an intriguing and sophisticated piece of malware, with various capabilities that set it apart from typical ransomware operations.

Recent findings shared by Coveware, a leading firm in ransomware recovery, highlight several noteworthy functionalities:

Among its distinct features is the integration of the etweventwrite hook, designed to prevent logging activities in the Windows Event Viewer, thereby covering its tracks effectively.

Additionally, the ransomware can identify and terminate processes that maintain open files. It utilizes a methodical process-checking approach to eliminate these barriers, alongside a "forcekillusingrestartmanager" feature intended for future use, although it remains unimplemented currently.

A significant tactic employed by ShinySp1d3r is the saturation of available disk space through the generation of random data in files named "wipe-[random].tmp." This action aims to overwrite previously deleted files, complicating any potential recovery efforts.

Furthermore, it explicitly targets and kills a predefined list of critical processes and services, enhancing its attack vector.

In terms of memory usage, ShinySp1d3r monitors available memory resources to optimize data processing during file encryption.

Propagation across local networks is another critical capability, executed through various methods, including:

• deployviascm – initiating a service to execute the ransomware.
• deployviawmi – launching the malware using WMI's win32_process.create.
• attemptgpodeployment – generating a GPO startup script in scripts.ini for execution.

ShinySp1d3r also incorporates anti-analysis techniques, ensuring that memory buffers are overwritten to thwart forensic examinations.

Moreover, it actively deletes shadow volume copies, preventing any restoration attempts of compromised files.

The ransomware seeks out network shares with open access, further escalating its reach and impact.

When it comes to file encryption, ShinySp1d3r employs the ChaCha20 encryption algorithm, safeguarding the private key with RSA-2048. Each file is marked with a distinct extension, reportedly derived from a mathematical computation, although the specifics of this system remain somewhat vague.

Every file that is encrypted features a header starting with "spdr" and concluding with "ends".

This header is crucial as it encapsulates essential details related to the encrypted file.

Among the information included are the filename, an encrypted private key, and various metadata elements.

Ransom Note Details and Tactics

A ransom note is placed in every folder across the compromised device, containing detailed instructions regarding the fate of the victim's files, guidance on how ransom negotiations are to be conducted, and a Tox address designated for direct communication with the threat actors.

Embedded within the note is a link pointing to a Tor-based data leak site, though at this stage the onion URL present appears to be a non-functional placeholder, suggesting the infrastructure may still be under development or preparation.

The note opens with a formal tone, stating that the message has been issued on behalf of the ShinySp1d3r group and is directed specifically toward internal incident response teams, technical leadership, or any externally appointed advisors handling the situation.

The attackers describe the event as a "critical encryption event" that has taken place within the victim's infrastructure, noting that certain digital assets have been rendered inaccessible and that selected data has been quietly duplicated and secured on their end.

Rather than framing the communication as an act of aggression, the group positions the message as an opportunity, claiming their intent is not to cause disruption but to offer the affected organization a confidential and efficient path toward fully resolving the incident on a permanent basis.

This carefully crafted, professional-sounding language is consistent with tactics commonly observed among sophisticated ransomware operators, who often adopt a businesslike tone in ransom notes in an effort to encourage victims to engage in negotiations rather than pursue alternative remediation strategies.

A countdown of three days is given to victims to initiate contact and begin negotiations, after which the attack details and stolen data will be publicly disclosed on the group's dedicated leak site.

Beyond the written ransom demand, the threat actors have also incorporated a visual intimidation tactic by automatically replacing the victim's Windows desktop wallpaper with a warning message. This modified wallpaper serves as an immediate visual alert, notifying the victim of the encryption event and directing them to locate and review the ransom note for further instructions.

BleepingComputer has recently uncovered that ShinyHunters has developed a Windows encryptor for their new Ransomware-as-a-Service (RaaS) known as ShinySp1d3r.

The team behind ShinyHunters is in the process of fine-tuning a Command-Line Interface (CLI) version and is nearing completion of builds for Linux and ESXi.

Additionally, they are working on a special "lightning version" designed for enhanced speed.

"We're also focused on a lightning version in pure assembly, similar to LockBit Green, which will serve as another Windows locker variant but built in pure assembly and quite straightforward," ShinyHunters shared with BleepingComputer.

Being a debug version, it's expected that more features will be integrated as the ransomware continues to evolve.

ShinyHunters revealed that their RaaS initiative will operate under the banner of Scattered Lapsus$ Hunters (SLH).

"While I/us will lead this project under the name 'ShinyHunters', the operational side will fall under the Scattered Lapsus$ Hunters brand, which is reflected in the name ShinySp1d3r to signify the partnership between these entities," they elaborated.

Interestingly, ShinyHunters claims that their ransomware will not target businesses within the healthcare sector—this includes pharmaceutical companies, hospitals, clinics, and insurance organizations.

However, it's worth noting that BleepingComputer has heard similar assertions from other ransomware groups in the past, only to see those policies later disregarded.

As is common practice among ransomware operations, ShinyHunters stated that attacks against Russia and other countries in the Commonwealth of Independent States (CIS) will be off-limits, to avoid drawing attention to their affiliates operating in those areas.

Lastly, updated information as of 11/19/25 indicated that the ransom note varies with each encryptor build, clarifying a detail in the article.

Why People Need VPN Services to Unblock Porn

People often turn to VPN services to unblock porn due to geo-restrictions, privacy concerns, and internet censorship imposed by governments or ISPs in various regions, making it difficult to freely access adult content online. By masking their IP address and encrypting their internet traffic, VPN users can securely bypass these barriers and browse without being monitored or throttled. Porn unblocked refers to the ability to freely access adult content that would otherwise be restricted, achieved through tools like VPNs that allow users to connect through servers in countries where such content is legally and openly available.

Why Choose SafeShell VPN to Access Adult Content

If you seek to unblock porn sites and access region-restricted adult content, SafeShell VPN is an excellent option to consider. This service not only provides reliable access to blocked content but also prioritizes your online privacy, ensuring your browsing remains confidential and secure. With a diverse array of servers worldwide, users can seamlessly traverse geo-restrictions, granting them the freedom to explore what they want without limitations.

Beyond just unblocking porn sites, SafeShell VPN comes packed with additional benefits that enhance your online experience. Its state-of-the-art ShellGuard protocol guarantees superior security, protecting your sensitive information from prying eyes and potential threats. Moreover, with lightning-fast speeds, users can stream high-definition content without any lag. The innovative App Mode feature makes it even easier to access various adult services from multiple regions, while multi-device support ensures that all of your gadgets are safeguarded simultaneously. With SafeShell VPN, you can enjoy comprehensive protection alongside unrestricted access to your desired content.

How to Use SafeShell VPN to Unlock Porn Sites

Here is a step-by-step guide on how to use SafeShell VPN to watch adult content from any region:

• Begin by heading over to the official SafeShell VPN website and signing up for a subscription plan that best suits your browsing needs and budget.
• Once you have completed the registration process, proceed to download and install the SafeShell VPN application onto your preferred device, whether it be a smartphone, tablet, or computer.
• After launching the application, navigate to the settings and activate App Mode, which allows you to maximize your access capabilities and enjoy a more flexible browsing experience.
• Next, browse through the extensive list of global servers available within SafeShell VPN and select a server location that corresponds to the region whose adult content you wish to access.
• With your server connection established, SafeShell VPN will encrypt your internet traffic and mask your real IP address, ensuring that your identity remains completely anonymous and protected throughout your session.
• You can now freely explore and stream adult content from virtually any region around the world without encountering geographical restrictions, all while enjoying the peace of mind that comes with SafeShell VPN's robust privacy and security features keeping your personal information safe at all times.