ShinyHunters is a financially motivated data-theft and extortion group active since 2020, responsible for high-profile breaches including Ticketmaster (via Snowflake) and PowerSchool; by 2025 they launched a RaaS offering called "shinysp1d3r," and in August 2025 French authorities arrested four members.
Genera un perfil del actor con IA (defensivo) cuando lo pidas.
Tácticas y técnicas observadas del actor, mapeadas a MITRE ATT&CK (clic para ver la ficha oficial). Útil para priorizar detecciones.
Para detección/bloqueo en tu EDR/SIEM. Fuente: ransomware.live.
Firma de detección defensiva para este grupo (úsala en tu EDR/SIEM). Fuente: ransomware.live.
/*
shinyhunters ransomware
*/
rule shinyhunters_Ransomnote
{
meta:
author = "ransomware.live"
family = "ransomware.shinyhunters"
description = "Detects shinyhunters ransomware ransom note or artifact"
date = "2026-05-04"
severity = 7
score = 70
strings:
$name1 = "shinyhunters" ascii nocase
$name2 = "SHINYHUNTERS" ascii
$onion = "shinyhunters.onion" ascii nocase
condition:
any of them
}
Over 1 million Salesforce records and other internal corporate data containing PII was compromised. This is a final warning to reach out by 14 June 2026 before we leak along with several annoying (digital) problems that'll come your way. Make the right decision, don't be the next headline. | Updated: 11 June 2026 | Warning: FINAL WARNING
Over 220GB of data containing customer PII, purchase/trasnaction info, future unreleased releases from 2027 and onward, and more was compromised. This is a final warning to reach out by 14 June 2026 before we leak along with several annoying (digital) problems that'll come your way. Make the right decision, don't be the next headline. | Updated: 11 June 2026 | Warning: FINAL WARNING
| Organización | País | Sector | Grupo | Descubierta |
|---|---|---|---|---|
| Nexstar.tv | US | Technology | — | 11 jun 2026 |
| Ralph Lauren Corporation | US | Consumer Services | — | 11 jun 2026 |
| Notice | Not Found | — | 11 jun 2026 | |
| nottingham.ac.uk | GB | Education | — | 9 jun 2026 |
| DentaQuest, LLC. | US | Healthcare | — | 30 may 2026 |
| BCD Travel | NL | Business Services | — | 29 may 2026 |
| DentaQuest, LLC | US | Healthcare | — | 28 may 2026 |
| Adelante Soluciones Financieras (Addi.com) | CO | Financial Services | — | 5 may 2026 |
| Aeroméxico | MX | Transportation/Logistics | — | 3 oct 2025 |
Las direcciones de los sitios de filtración (.onion) se conocen pero no se publican ni se enlazan. Solo se muestran metadatos públicos. ética
Due to the significant influx of activity going on, we are kindly advising everyone who is being contacted by us to start responding or the inevitable will happen after the deadline. We are not bluffing. Thank you. Make the right decision, don't be the next headline. | Updated: 11 June 2026 | Warning: FINAL WARNING
Over 40 GB of billing and payment records, credit card and payment details, student finance data, and campus portal exports from the University of Nottingham and its Malaysia and China campuses was compromised, including payer contact information, transaction amounts, IP addresses, full names, home addresses, postcodes, email addresses, phone numbers, dates of birth, and other internal campus data. | Size: 19GB+ (compressed) | Updated: 10 June 2026 | SHA256: d3aaaf06dd857deec3866072cc2876780623d880992e8d735094db4779535873
The company failed to reach an agreement with us despite our incredible patience, all the chances and offers we made. They don't care. | Size: 234GB+ (compressed) | Updated: 30 May 2026 | SHA256: db3088225c36be26ce2b458fa7a190176d071441e2e0830c0d82143e6323a3e1
Over 700k Salesforce records and various Sharepoint sites corporate data has been compromised. This is a final warning to reach out by 1 June 2026 before we leak along with several annoying (digital) problems that'll come your way. Make the right decision, don't be the next headline. Pay or Leak. | Updated: 29 May 2026 | Warning: FINAL WARNING PAY OR LEAK