There is an unusual wave of ongoing ransomware attacks that involve data theft by members of The Com. This type of ransomware attack threatens to leak the stolen data publicly but does not involve encryption nor does it require the victim to purchase a decryption key. Corporate victims are simultaneously harassed, which is designed to be emotionally triggering and overwhelming. This ransomware campaign is related to a group that calls itself by a number of names, including "ShinyHunters", or "Scattered Lapsus Hunters", or "Scattered Lapsus Shiny Hunters", or "SLSH". This Com group and their activity are distinct from previous iterations of groups that used the moniker "Shiny Hunters" before 2025.
Some of the harassment attacks include swatting, DDOS attacks, email flooding, SMS flooding, and other forms of harassment, which are typical of Com groups. These groups also notify journalists that they have breached the organization, prompting journalists to reach out to the organization to fact-check the validity of the claim in the midst of the incident. To top it all off, victim organizations get a ransom note claiming a breach, aggressively demanding money in exchange for not leaking the data to cause further damage. During the negotiation process, the group applies further pressure with harassment and negative PR. A media manipulation campaign has created an information environment that paints them as "very dangerous" and spreads false information that will skew decision-making by the victim in favor of payment.
We want to reassure corporate victims that there is an end to the madness. The bad news is that the breached data is breached, and no ransom payment or promises by criminals will un-breach it. The focus should now be on mitigation and remediation of that breached data, notifying impacted customers and stakeholders, and coming up with a plan to lessen the impact of that breach going forward. The good news is that the harassment will end.
In this research, we will explain why there is potentially no benefit to paying a ransom demand made by this Com group. Paying provides them with vital information about the value of the stolen dataset, which can be leveraged in future fraud-based operations after this initial ransomware attack is complete. As we have seen to date, evidence strongly suggests that they have no intention of deleting the data. This research analyzes a known playbook in The Com on sextortion that mirrors the manipulative techniques combined with ransomware demands. The playbook shared amongst Com members describes the tactics exploited by both sextortion groups and ransomware groups, and what it means for corporate victims now.
As the business owner, your decision to pay or not pay a ransom demand from any threat actor group needs to be weighed objectively and deliberately. ShinyHunters rely on the intensity of their emotional manipulation to force you to make a snap decision, within 72 hours, to pay the ransom to stop the harassment. Therefore, we suggest removing their emotionally triggering tactics from the decision and focusing on the objective facts, how the demand is structured, and likely outcomes based on history and their training.
The financial extortion groups active today (such as ShinyHunters) are not innovating new extortion methods. Their tactics align with old sextortion guide techniques: the sequencing, the pressure architecture, the emotional manipulation, and the promises designed only to be broken. The structure is so similar because the threat actors behind it are trained in the same systems that were originally built to control and exploit young victims. This makes their behaviors predictable and their operational structure identifiable.
In the early 2020s, sextortion of young girls became popular in The Com, before it was categorized as terrorism by several governments. This culture initially emerged as a collaboration between pedophiles and youth hacking gangs. One of the more well-known groups that grew from this culture was 764.
The goal was to collect information on a target, such as young girls, with very little Internet footprint in order to extort them. What resulted was a leap forward in OSINT and hacking techniques against more complex and challenging targets, and the advancement in sophisticated psychological manipulation. The sextortion guides memorialize the "state of the art" of this time period.
The actors who evaded arrest formed deep social bonds, pivoted their knowledge to new targets, and became the tight-knit groups that operate at the highest levels of The Com today. The hackers and group members deploying these child sextortion tactics in The Com are either violent pedophiles themselves, or have received mentorship from or work closely with violent pedophiles.
Because these groups use the same strategy outlined in the child sextortion playbooks, the outcome is clear: there is no intention to delete data once the victim “complies.” The sextortion model is fundamentally built on retaining damaging materials, leveraging them repeatedly, and escalating when compliance is demonstrated. Nothing in their training encourages letting a victim go.
By learning these hidden criminal tactics, you will understand your adversary's training and goals to incorporate counter-narratives to oppose this threat.
CONTENT WARNING: The language in selected screenshots is disturbing.
A basic overview of the strategy
This is extortion 101. Every extortion guide starts out with the same recommended guidance, such as collecting public or private information on the victim, including at least one piece of damaging information. Next, threaten to release that damaging information and continue to apply pressure and harass the victim in order to force an action.
While the concept of extortion is not unique to The Com, behaviors indicative of The Com are the diversity of threats issued, overwhelming the victim, and the heavy reliance on threats and harassment unrelated to the damaging information. The intent is to apply pressure not just based on the damaging information but also fear of continued consequences.
This is highly effective on young children but it should not have the same level of success with a corporation. Many strategies employed by Com ransomware groups like ShinyHunters would seem like odd choices that would reduce the likelihood of payment, if not for the context that these playbooks were originally developed for minors, not companies.
"First Impressions are Everything": Com actors believe that the initial overwhelm and traumatization of the victim is a key requirement to a successful extortion
This strategy to "overwhelm" is deployed against a corporation through these threat actors notifying many journalists at once of the situation, sending a complaint to regulators, sharing an announcement in a criminal channel monitored by threat researchers, sending threats to employees and the executive’s families, swatting the corporate HQ, flooding email inboxes, and DDOSing corporate sites for good measure. Though this is highly disruptive, it should not be an effective or motivating tactic to comply with the ransomware demands.
Com threat actors believe that harm is equal to motivation for a company to pay a ransom, so they will escalate that harm as much as possible, including to the level of terrorism, to motivate a corporate victim to comply. An example of these types of harm threats would be an incident where ShinyHunters posted lists of federal employees and threatened to murder them. Since Com threat actors focus on maximizing harm, they often don’t consider how certain threats would not support a corporation’s decision to pay—or sometimes even rule out the decision to pay completely.
A framework to manage extortion victims at scale
The sextortion guide provides a conceptual framework to better understand the resource allocation problems faced by Com ransom groups. They do not have unlimited resources and must optimize their time to focus on victims who have a potential to pay. Punishing a victim who has no potential to pay takes away time from other victims that do.
Note how the process described in section C implies a decision tree that only ends when victims refuse to continue complying. The inverse is also true: a victim’s compliance traps them in an infinite loop and subjects them to further harm and demands. This is a key piece of information as to why paying the ransom demand of Com actors does not support an outcome where these threat actors then stop their continued demands and harassment. The culture of extortion in The Com was designed for re-extorting compliant victims, not to let them go.
This framework also suggests that extending the duration of ransomware negotiation may also be hazardous. The pressure campaign during negotiation may be traumatizing to employees, executives, and their family members. It may also generate continued negative PR for the company as these groups leverage their journalist contacts for additional pressure as the negotiations are drawn out. To minimize damage, our recommendation would be to not deploy drawn out negotiation tactics against the attack. Ongoing negotiations signal to the threat actors that you are still an engaged and compliant victim—as noted above—and incentivizes these threat actors to increase the level of harm and risk, which could include physical safety of employees and their families.
The optimal strategy for victims is to do what you can to move from PENDING to FAILED in their decision tree playbook as quickly as possible.
Members of The Com are mostly young males and mostly between the ages of 14-26 years old. Some come from broken homes or struggle with severe mental health issues and debilitating personality disorders that make it difficult to integrate into society—often leading to ostracization in their local communities. Moreover, frequent drug abuse among members of The Com makes their behavior even more erratic. It’s common for groups in The Com to instigate feuds and drama between group members, leading to lying, betrayals, credibility destroying behavior, backstabbing, and sabotage. With this type of ongoing dysfunction, these threat actors aren’t able to act with the core goal in mind of completing a successful, strategic ransom operation. They continually lose control with outbursts that put their strategy and operational security at risk. This severely limits their ability to build a professional and scalable criminal organization network for continued successful ransoms—unlike other more tenured and sophisticated criminal organizations focused on ransomware alone.
We have not yet seen any Com guides discussing how to build credibility with their victims, which suggests a deprioritization or inability to consider the concept in order to create the right circumstances for a more successful ransomware outcome. Com ransomware groups have largely not followed in the footsteps of the older Russian ransomware groups, who build a "brand name," reputation, and demonstrate consistent behavior so victims have confidence that the criminal organization will keep their word and the victims will receive what they are promised in exchange for paying the ransom.
In light of that, consider the victim's dilemma. Against an untrustworthy actor, a deal only makes sense if the victim has credible assurances that if they pay, the criminal group will keep their word on their own proposed terms. In contrast, almost all Com ransom activity is structured in a way that places a large amount of trust on the extorter, and there are no assurances they will keep their promise.
This is a very strong signal to victims that paying the ransom is pointless.
However, though we rarely see The Com act trustworthy in a real sense, we do see the guide share additional guidance on how to continue the manipulation by offering false hope around “trust.”
"How can I trust you?" "Because I will hurt you." This argument works against young children, but as a corporation, this type of language and threat tactic should tip a company off that they are dealing with an attacker in The Com or with ties to or guidance from The Com. This should help inform your ransomware mitigation strategy.
These Com sextortion guides offer a shallow understanding of trust to support manipulation tactics aimed at young girls. At various points this guide suggests building trust by making small talk, pretending to show interest, and saying the word "trust" repeatedly. As the guides place a heavy focus on emotional manipulation, this could be correlated to their current ransomware tactics to trigger an emotional frenzy for corporate victims, rather than offering rational value propositions to pay the ransom.
Sextorters seek to send damaging information to authority figures in the victims' life
Ransom from groups before this was often structured as an encryption/decryption malware that mostly stayed on the affected machine. In contrast, ransom from a Com group is often structured the same as the violent sextortion schemes against minors that is outlined here. Members of The Com will steal damaging information, threaten to release it, and "promise" to delete it if the victim complies, without any guarantee or technical proof point that they will keep their word.
As the structure of this scheme is to repeatedly extort minors, it is designed to obtain more damaging materials through never-ending rounds of extortion. If The Com uses the same tactics against a company, what proof is there that the data will be deleted after the company gives them significant leverage by proving the true value of the data with a payment? If a company pays, what is the plan to deal with the permanent uncertainty they are stuck with after the promised deletion?
Read this entire passage to learn the strategy that suckered media and bloggers for months
This repeated tasking over time to psychologically enslave young girls closely resembles what ShinyHunters has done to the media and bloggers. Because social media is critical to their operations, members of The Com continue to maintain an online presence, despite frequent bannings from those platforms. When ShinyHunters had no substantial criminal attack or breach to announce, they published public death threats about law enforcement, journalists, and cybercrime industry professionals to keep the industry engaged. Due to this level of constant engagement, when ShinyHunters had a substantial announcement, their message was then immediately amplified. As outlined in these guides, the intention is to prevent too much time from passing between issuing violent threats as they want to ingrain the task of habitual monitoring.
Though their posts range from unfounded to outlandish, the strategy works. This brainwashing campaign creates an inflated view of ShinyHunters, their abilities, and their true value proposition to victims. Public reporting continuously reinforces their reputation of being "extremely” dangerous.
Manipulation of the public conversation has not only misinformed victims but has also created undue pressure to pay these ransom demands. Because their ransom demands are fundamentally flawed and the promises to delete the data are untrustworthy, ShinyHunters rely on humiliation to drive their victims to payment.
For victims hit by ransom groups from The Com, Unit 221B offers the following recommendations.
Disclaimer: this is not a recommendation for all ransomware groups and groups not associated with The Com. Please also note that every business has to make an informed decision given the information available to them as every incident is unique. This information is provided for general knowledge purposes only and does not constitute legal advice.
For our peers in the industry, we have the following notes: