Red Hot Cyber
Cybersecurity is about sharing.
Recognize the risk, combat it, share your experiences,
and encourage others to do better than you.
Pietro Melillo : 7 March 2025 09:12
During our reconnaissance into the underground world and criminal groups conducted by Red Hot Cyber’s threat intelligence laboratory DarkLab, we stumbled upon a Data Leak Site of a cyber gang never monitored before: Skira.
Ransomware groups generally operate under the logic of “double extortion”: after gaining unauthorized access to an organization’s IT systems, they encrypt the data and simultaneously steal a copy. If the victim refuses to pay the ransom, the cybercriminals threaten not only to leave the systems inaccessible but also to publish the exfiltrated data.
Skira fits into this scenario as a newly emerging group that, like many of its “peers” (e.g., LockBit, BlackCat/ALPHV, etc.), has its own Tor site where it claims responsibility for attacks and displays a list of victims.
CORSO NIS2 : Network and Information system 2
La direttiva NIS2 rappresenta una delle novità più importanti per la sicurezza informatica in Europa, imponendo nuovi obblighi alle aziende e alle infrastrutture critiche per migliorare la resilienza contro le cyber minacce.
Con scadenze stringenti e penalità elevate per chi non si adegua, comprendere i requisiti della NIS2 è essenziale per garantire la compliance e proteggere la tua organizzazione.
Accedi All'Anteprima del Corso condotto dall'Avv. Andrea Capelli sulla nostra Academy e segui l'anteprima gratuita.
Per ulteriori informazioni, scrivici ad [email protected] oppure scrivici su Whatsapp al 379 163 8765
Supporta RHC attraverso:
Ti piacciono gli articoli di Red Hot Cyber? Non aspettare oltre, iscriviti alla newsletter settimanale per non perdere nessun articolo.
In the context of Scandinavian languages, “skir” (or very similar forms, such as the Icelandic “skír” or Old Norse “skírr”) generally means “pure,” “transparent,” or “clear.” In modern Swedish, for instance, the adjective “skir” is used to indicate something “thin,” “delicate,” or “transparent.” These Germanic roots may thus have inspired the name “Skira,” although there is no definitive evidence that the ransomware group based its name on this etymology.
The Skira Data Leak Site (DLS) homepage, accessible exclusively through the Tor network, appears extremely minimal. The interface contains only a few textual elements: a welcome message, a link to a section called Hacking News (dedicated to the victims), and instructions on how to contact the group via Session. The lack of elaborate graphic elements and the bare layout suggest a deliberate focus on content, providing only the information strictly necessary to negotiate any payment or to showcase the stolen data.
In addition to the traditional “payment portal” sometimes integrated (not always displayed publicly), Skira encourages the use of Session to negotiate the ransom.
Victims and Involved Sectors On Skira’s Hacking News page, the names of the following are listed:
The list indicates that Skira may be targeting diverse organizations without a specific industry preference, instead focusing on entities with insufficient security or those deemed capable of paying a ransom to prevent the exposure of sensitive data.
The Skira group represents a new ransomware threat, clearly oriented toward the “double extortion” model with a Tor-based Data Leak Site. Although technical details about their ransomware payload are scarce at this point, the presence of an actual victim list, potential ransom demands, and the use of a secure communication channel (Session) demonstrate that the group is operating in a structured manner.
As with other ransomware campaigns, prevention and timely detection are crucial to limiting damage. Adopting good security practices, continuous infrastructure monitoring, and well-defined incident response procedures remain the pillars for mitigating the risk of similar attacks.
Pietro Melillo