ShinyHunters Goes After Cybersecurity Firm Warning Victims Not to Pay Ransoms

Summary

ShinyHunters has escalated harassment against Unit 221B, a cybersecurity vendor that publicly warned victims to refuse the gang's extortion demands following the Canvas breach affecting millions of students. The group has flooded Unit 221B with spam emails, calls, and text messages threatening violence, while Instructure controversially paid the ransom under an unverifiable "data destruction agreement." Security researchers argue that such payments incentivize further attacks and that the group's promises are unreliable.

Full text

A cybersecurity company says the hacking gang ShinyHunters has tried to censor and cut off its communications after it urged the public to refuse to pay the group's ransom demands. “They want you to forget past behavior that caused victims to stop taking them seriously,” warned Allison Nixon, chief research officer for cybersecurity vendor Unit 221B. “They are also flooding our email to make it more difficult for journalists to reach us.” Nixon posted the message on LinkedIn after ShinyHunters reached a new level of infamy earlier this month for hacking Canvas, an online educational system used by thousands of universities and schools in the US. The hackers posted an extortion note on Canvas claiming they had stolen data from tens of millions of students at nearly 9,000 schools and educational institutions. You May Also Like In response, Canvas developer Instructure made the controversial decision to pay the extortion demand under an “agreement” that the stolen data be deleted. However, the payment is a major win for ShinyHunters and is expected to fuel the group’s hacking efforts. Nixon is urging victims of ShinyHunters to think twice before surrendering to the group’s demands. “They don’t have a convincing argument about why you should pay in the first place,” she told PCMag in an interview. “Their only answer to you is that they will hurt you. But that’s not a rational answer.” (Credit: ShinyHunters) Nixon initially flagged the risks of paying ShinyHunters in February while speaking with cybersecurity journalist Brian Krebs. “ShinyHunters rely on the intensity of their emotional manipulation to force you to make a snap decision, within 72 hours, to pay the ransom to stop the harassment,” Unit 221B added in a blog post warning that the gang uses violent threats to get what they want, along with bombarding victims with email and text messages. Since then, Nixon’s company has been flooded with emails for random account verifications and newsletter signups, likely to drown out legitimate messages to Unit 221B. In February, employees at her company also received anonymous text messages, saying “back off. Fire Allison Nixon otherwise she will bring upon deadly forces targeted toward herself and your random Company.” (Credit: Allison Nixon) ShinyHunters also posted messages in a Telegram chat, saying “A.N will probably back down when she is faced with a threat that is not just a digital threat.”“They also flooded us with calls," Nixon told PCMag. “And these are the people who want corporations to trust them with millions of dollars that they pinky promise not to resume the same data to extort them more.” (Credit: Allison Nixon) Instructure framed its decision to pay as an “agreement” that “returned” the stolen data to the company. But in reality, the company is asking a gang of cybercriminals to keep their promise when they could easily sell or re-abuse the stolen data months or even years from now, Nixon says. The group could also dump their hacker handle for another.“Promises should be understood in the context that most extorters are drug addicts and/or mentally unstable. Ask yourself what matters more to them: their reputation, or more cocaine?” she wrote in her LinkedIn post. In Instructure’s case, the company says it received “digital confirmation of data destruction (shred logs).” However, Nixon says, "It’s completely unprovable” when such logs or videos can be easily faked. Nixon isn’t alone in her concerns about victims falling for the group’s scare tactics. Last Friday, the FBI issued an advisory that warned the ShinyHunters can use “real or exaggerated claims of access to sensitive or personal information to prompt payment from victims," adding, "Threat actors may falsely claim to have sensitive or compromising information, including embarrassing photographs or videos of victims, which frequently do not exist."Instructure didn’t respond to a request for comment about the FBI’s advisory. That said, the company’s investigators uncovered evidence that ShinyHunters did steal data, such as usernames, email addresses, course names, enrollment information, and messages, from affected schools. But Nixon previously pointed out that "paying a criminal group cannot un-breach data or avoid regulatory fines or lawsuits." Instructure is already facing more than a dozen class-action lawsuits for the hack. Dealing With 'Underage Extortionists'“The victims are in an extraordinary position. I don’t mean to criticize anyone who made or didn’t make a payment,” Nixon said. “The fault really lies with the person doing the harm. That lies with these underage extortionists.” Recommended by Our Editors They’re Still Watching: 7 Ways to Avoid Being Hacked a Second Time Flipper Zero Hacks for Beginners: 8 Simple Ways to Use It Right Out of the Box Your Data Was Leaked. Here's What Hackers Hope You Don't Do Next According to Nixon’s research, the hackers behind the group appear to be young men, including teenagers, who’ve taken up the ShinyHunters moniker, a name that's been around since at least 2019. “Part of this debate is whether the victims should pay. The answer to this debate is that they need to all get arrested, they are all known,” she added. Although she didn’t get into details, the cybersecurity journalist Brian Krebs in November identified an admin related to the group as a 16-year-old based in Amman, Jordan. Meanwhile, Nixon has worked with the FBI before to help identify and catch cybercriminals. She noted that “because these are kids, governments may not take the threat seriously, allowing the problem to fester. They may not be used to dealing with cybercrime, they may not be tracking the issue. Meanwhile, [ShinyHunters] are finding and grooming more children, and recruiting them into the group,” she added. Prior to hacking Canvas, ShinyHunters also claimed to have hacked Vimeo, ADT Security, and Rockstar Games, among others. The group is known to use English-language voice calls and impersonation to trick employees into handing over internal access to a company's IT systems. Still, the stolen data may not always be sensitive. Rockstar Games refused to pay the group, which released the company's stolen data, but it consisted solely of internal business information, to seemingly no effect. Still, Nixon noted that ShinyHunters has attracted the media's attention. When it claims to have breached a company, journalists can end up hammering the victim companies, which can result in bad PR and further pressure to pay up. In response to Nixon, ShinyHunters has denied any involvement with trying to silence her or her company. “Unit221B is known to have a personal and emotional vendetta against us. They resort to spreading misinformation about us because they are eager to ‘dismantle and disrupt’ us by any means,” the group told PCMag. “In general, we do not try to censor anyone and cannot be bothered to do so. If we see misinformation regarding us reported we send a simple one-time kind message regarding what we find as misinformation and try to correct them,” the group said, later adding: "We keep a good and open relationship with the press and security researchers if they wish to inquire us."But Nixon noted the gang has been messaging media outlets in what she called “the most low effort gaslighting, and no one believes them," adding, "What they are doing is doling out information to people that say what they want, because controlling the information landscape is a critical part of their operation." About Our Expert Michael Kan Principal Reporter Experience I've been a journalist for over 15 years. I got my start as a schools and cities reporter in Kansas City and joined PCMag in 2017, where I cover satellite internet services, cybersecurity, PC hardware, and more. I'm currently based in San Francisco, but previously spent over five years in China, covering the country's technology sector.Since 2020, I've covered the launch and explosive growth of SpaceX's Sta

Indicators of Compromise

• malware — ShinyHunters

Entities