Pietro Melillo : 7 March 2025 09:12
During our reconnaissance into the underground world and criminal groups conducted by Red Hot Cyber’s threat intelligence laboratory DarkLab, we stumbled upon a Data Leak Site of a cyber gang never monitored before: Skira.
Ransomware groups generally operate under the logic of “double extortion”: after gaining unauthorized access to an organization’s IT systems, they encrypt the data and simultaneously steal a copy. If the victim refuses to pay the ransom, the cybercriminals threaten not only to leave the systems inaccessible but also to publish the exfiltrated data.
Skira fits into this scenario as a newly emerging group that, like many of its “peers” (e.g., LockBit, BlackCat/ALPHV, etc.), has its own Tor site where it claims responsibility for attacks and displays a list of victims.
Vuoi diventare un esperto del Dark Web e della Cyber Threat Intelligence (CTI)?
Stiamo per avviare il corso intermedio in modalità "Live Class", previsto per febbraio.
A differenza dei corsi in e-learning, disponibili online sulla nostra piattaforma con lezioni pre-registrate, i corsi in Live Class offrono un’esperienza formativa interattiva e coinvolgente.
Condotti dal professor Pietro Melillo, le lezioni si svolgono online in tempo reale, permettendo ai partecipanti di interagire direttamente con il docente e approfondire i contenuti in modo personalizzato.
Questi corsi, ideali per aziende, consentono di sviluppare competenze mirate, affrontare casi pratici e personalizzare il percorso formativo in base alle esigenze specifiche del team, garantendo un apprendimento efficace e immediatamente applicabile.
Per ulteriori informazioni, scrivici ad [email protected] oppure scrivici su Whatsapp al 379 163 8765
Supporta RHC attraverso:
Ti piacciono gli articoli di Red Hot Cyber? Non aspettare oltre, iscriviti alla newsletter settimanale per non perdere nessun articolo.
In the context of Scandinavian languages, “skir” (or very similar forms, such as the Icelandic “skír” or Old Norse “skírr”) generally means “pure,” “transparent,” or “clear.” In modern Swedish, for instance, the adjective “skir” is used to indicate something “thin,” “delicate,” or “transparent.” These Germanic roots may thus have inspired the name “Skira,” although there is no definitive evidence that the ransomware group based its name on this etymology.
The Skira Data Leak Site (DLS) homepage, accessible exclusively through the Tor network, appears extremely minimal. The interface contains only a few textual elements: a welcome message, a link to a section called Hacking News (dedicated to the victims), and instructions on how to contact the group via Session. The lack of elaborate graphic elements and the bare layout suggest a deliberate focus on content, providing only the information strictly necessary to negotiate any payment or to showcase the stolen data.
In addition to the traditional “payment portal” sometimes integrated (not always displayed publicly), Skira encourages the use of Session to negotiate the ransom.
Victims and Involved Sectors On Skira’s Hacking News page, the names of the following are listed:
The list indicates that Skira may be targeting diverse organizations without a specific industry preference, instead focusing on entities with insufficient security or those deemed capable of paying a ransom to prevent the exposure of sensitive data.
The Skira group represents a new ransomware threat, clearly oriented toward the “double extortion” model with a Tor-based Data Leak Site. Although technical details about their ransomware payload are scarce at this point, the presence of an actual victim list, potential ransom demands, and the use of a secure communication channel (Session) demonstrate that the group is operating in a structured manner.
As with other ransomware campaigns, prevention and timely detection are crucial to limiting damage. Adopting good security practices, continuous infrastructure monitoring, and well-defined incident response procedures remain the pillars for mitigating the risk of similar attacks.