Red Hot Cyber

Cybersecurity is about sharing. Recognize the risk, combat it, share your experiences, and encourage others to do better than you.
Search

A New Dark Actor Enters the Criminal Underground. Discovering Skira Ransomware

Pietro Melillo : 7 March 2025 09:12

During our reconnaissance into the underground world and criminal groups conducted by Red Hot Cyber’s threat intelligence laboratory DarkLab, we stumbled upon a Data Leak Site of a cyber gang never monitored before: Skira.

Ransomware groups generally operate under the logic of “double extortion”: after gaining unauthorized access to an organization’s IT systems, they encrypt the data and simultaneously steal a copy. If the victim refuses to pay the ransom, the cybercriminals threaten not only to leave the systems inaccessible but also to publish the exfiltrated data.

Skira fits into this scenario as a newly emerging group that, like many of its “peers” (e.g., LockBit, BlackCat/ALPHV, etc.), has its own Tor site where it claims responsibility for attacks and displays a list of victims.

Iscriviti GRATIS alla RHC Conference 2025 (Venerdì 9 maggio 2025)

Il giorno Venerdì 9 maggio 2025 presso il teatro Italia di Roma (a due passi dalla stazione termini e dalla metro B di Piazza Bologna), si terrà la RHC Conference 2025. Si tratta dell’appuntamento annuale gratuito, creato dalla community di RHC, per far accrescere l’interesse verso le tecnologie digitali, l’innovazione digitale e la consapevolezza del rischio informatico.

La giornata inizierà alle 9:30 (con accoglienza dalle 9:00) e sarà interamente dedicata alla RHC Conference, un evento di spicco nel campo della sicurezza informatica. Il programma prevede un panel con ospiti istituzionali che si terrà all’inizio della conferenza. Successivamente, numerosi interventi di esperti nazionali nel campo della sicurezza informatica si susseguiranno sul palco fino alle ore 19:00 circa, quando termineranno le sessioni. Prima del termine della conferenza, ci sarà la premiazione dei vincitori della Capture The Flag prevista per le ore 18:00.
Potete iscrivervi gratuitamente all'evento utilizzando questo link.

Per ulteriori informazioni, scrivi a [email protected] oppure su Whatsapp al 379 163 8765


Supporta RHC attraverso:


Ti piacciono gli articoli di Red Hot Cyber? Non aspettare oltre, iscriviti alla newsletter settimanale per non perdere nessun articolo.

In the context of Scandinavian languages, “skir” (or very similar forms, such as the Icelandic “skír” or Old Norse “skírr”) generally means “pure,” “transparent,” or “clear.” In modern Swedish, for instance, the adjective “skir” is used to indicate something “thin,” “delicate,” or “transparent.” These Germanic roots may thus have inspired the name “Skira,” although there is no definitive evidence that the ransomware group based its name on this etymology.

Structure of the DLS

The Skira Data Leak Site (DLS) homepage, accessible exclusively through the Tor network, appears extremely minimal. The interface contains only a few textual elements: a welcome message, a link to a section called Hacking News (dedicated to the victims), and instructions on how to contact the group via Session. The lack of elaborate graphic elements and the bare layout suggest a deliberate focus on content, providing only the information strictly necessary to negotiate any payment or to showcase the stolen data.

  • A homepage featuring a welcome message, a link labeled Hacking News (leading to the “victims’ blog”), and instructions on how to contact them via Session.
  • A page dedicated to the victims (the Hacking News section), where various targeted organizations are listed: companies and even a government entity in a Turkish city.

Contact Methods

In addition to the traditional “payment portal” sometimes integrated (not always displayed publicly), Skira encourages the use of Session to negotiate the ransom.

Victims and Involved Sectors On Skira’s Hacking News page, the names of the following are listed:

  • Real estate companies (India).
  • Consumer goods manufacturers (India).
  • Regulatory consulting firms (USA).
  • A government office of a municipality in Turkey.

The list indicates that Skira may be targeting diverse organizations without a specific industry preference, instead focusing on entities with insufficient security or those deemed capable of paying a ransom to prevent the exposure of sensitive data.

Conclusions

The Skira group represents a new ransomware threat, clearly oriented toward the “double extortion” model with a Tor-based Data Leak Site. Although technical details about their ransomware payload are scarce at this point, the presence of an actual victim list, potential ransom demands, and the use of a secure communication channel (Session) demonstrate that the group is operating in a structured manner.

As with other ransomware campaigns, prevention and timely detection are crucial to limiting damage. Adopting good security practices, continuous infrastructure monitoring, and well-defined incident response procedures remain the pillars for mitigating the risk of similar attacks.

Pietro Melillo
Head of the Dark Lab group. A Computer Engineer specialised in Cyber Security with a deep passion for Hacking and technology, currently CISO of WURTH Italia, he was responsible for Cyber Threat Intelligence & Dark Web analysis services at IBM, carries out research and teaching activities on Cyber Threat Intelligence topics at the University of Sannio, as a Ph.D, author of scientific papers and development of tools to support cybersecurity activities. Leads the CTI Team "RHC DarkLab"
Categories
Banner

Editorial board : [email protected]

Facebook Linkedin Youtube Telegram Twitter Pinterest Tumblr
Redhotcyber is an open-news project that was launched in 2019 and subsequently expanded into a network of individuals collaborating to disseminate information and topics focused on technology, Information Technology, and cybersecurity. Its goal is to increase risk awareness among an ever-growing number of people.