Red Hot Cyber

Cybersecurity is about sharing. Recognize the risk, combat it, share your experiences, and encourage others to do better than you.
Search

A New Dark Actor Enters the Criminal Underground. Discovering Skira Ransomware

Pietro Melillo : 7 March 2025 09:12

During our reconnaissance into the underground world and criminal groups conducted by Red Hot Cyber’s threat intelligence laboratory DarkLab, we stumbled upon a Data Leak Site of a cyber gang never monitored before: Skira.

Ransomware groups generally operate under the logic of “double extortion”: after gaining unauthorized access to an organization’s IT systems, they encrypt the data and simultaneously steal a copy. If the victim refuses to pay the ransom, the cybercriminals threaten not only to leave the systems inaccessible but also to publish the exfiltrated data.

Skira fits into this scenario as a newly emerging group that, like many of its “peers” (e.g., LockBit, BlackCat/ALPHV, etc.), has its own Tor site where it claims responsibility for attacks and displays a list of victims.

Vuoi diventare un esperto del Dark Web e della Cyber Threat Intelligence (CTI)?
Stiamo per avviare il corso intermedio in modalità "Live Class", previsto per febbraio.
A differenza dei corsi in e-learning, disponibili online sulla nostra piattaforma con lezioni pre-registrate, i corsi in Live Class offrono un’esperienza formativa interattiva e coinvolgente.
Condotti dal professor Pietro Melillo, le lezioni si svolgono online in tempo reale, permettendo ai partecipanti di interagire direttamente con il docente e approfondire i contenuti in modo personalizzato. Questi corsi, ideali per aziende, consentono di sviluppare competenze mirate, affrontare casi pratici e personalizzare il percorso formativo in base alle esigenze specifiche del team, garantendo un apprendimento efficace e immediatamente applicabile.
Per ulteriori informazioni, scrivici ad [email protected] oppure scrivici su Whatsapp al 379 163 8765 

Supporta RHC attraverso:


Ti piacciono gli articoli di Red Hot Cyber? Non aspettare oltre, iscriviti alla newsletter settimanale per non perdere nessun articolo.

In the context of Scandinavian languages, “skir” (or very similar forms, such as the Icelandic “skír” or Old Norse “skírr”) generally means “pure,” “transparent,” or “clear.” In modern Swedish, for instance, the adjective “skir” is used to indicate something “thin,” “delicate,” or “transparent.” These Germanic roots may thus have inspired the name “Skira,” although there is no definitive evidence that the ransomware group based its name on this etymology.

Structure of the DLS

The Skira Data Leak Site (DLS) homepage, accessible exclusively through the Tor network, appears extremely minimal. The interface contains only a few textual elements: a welcome message, a link to a section called Hacking News (dedicated to the victims), and instructions on how to contact the group via Session. The lack of elaborate graphic elements and the bare layout suggest a deliberate focus on content, providing only the information strictly necessary to negotiate any payment or to showcase the stolen data.

  • A homepage featuring a welcome message, a link labeled Hacking News (leading to the “victims’ blog”), and instructions on how to contact them via Session.
  • A page dedicated to the victims (the Hacking News section), where various targeted organizations are listed: companies and even a government entity in a Turkish city.

Contact Methods

In addition to the traditional “payment portal” sometimes integrated (not always displayed publicly), Skira encourages the use of Session to negotiate the ransom.

Victims and Involved Sectors On Skira’s Hacking News page, the names of the following are listed:

  • Real estate companies (India).
  • Consumer goods manufacturers (India).
  • Regulatory consulting firms (USA).
  • A government office of a municipality in Turkey.

The list indicates that Skira may be targeting diverse organizations without a specific industry preference, instead focusing on entities with insufficient security or those deemed capable of paying a ransom to prevent the exposure of sensitive data.

Conclusions

The Skira group represents a new ransomware threat, clearly oriented toward the “double extortion” model with a Tor-based Data Leak Site. Although technical details about their ransomware payload are scarce at this point, the presence of an actual victim list, potential ransom demands, and the use of a secure communication channel (Session) demonstrate that the group is operating in a structured manner.

As with other ransomware campaigns, prevention and timely detection are crucial to limiting damage. Adopting good security practices, continuous infrastructure monitoring, and well-defined incident response procedures remain the pillars for mitigating the risk of similar attacks.

Pietro Melillo
Head of the Dark Lab group. A Computer Engineer specialised in Cyber Security with a deep passion for Hacking and technology, currently CISO of WURTH Italia, he was responsible for Cyber Threat Intelligence & Dark Web analysis services at IBM, carries out research and teaching activities on Cyber Threat Intelligence topics at the University of Sannio, as a Ph.D, author of scientific papers and development of tools to support cybersecurity activities. Leads the CTI Team "RHC DarkLab"

Lista degli articoli