Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to malware
MalwareRansomware

TommyLeaks

TommyLeaks is a ransomware/extortion brand name used by a Russian-linked cybercrime organization associated with former Conti leaders. During approximately June 2021 through August 2023, this organization used multiple names in ransom notes and operations, including Conti, Karakurt, Royal, TommyLeaks, SchoolBoys Ransomware, and Akira. Reporting in the provided content does not distinguish TommyLeaks as a separate malware family with unique technical characteristics; rather, it is described as one of several brands used by the same broader syndicate.

The organization targeted more than 54 companies worldwide, including many in the United States. Its activity involved data theft and extortion, with operators researching victims, analyzing stolen data, and using highly sensitive information to increase pressure on victims to pay. In one cited case involving a pediatric healthcare provider, stolen children’s health records were used to intensify extortion, and sensitive data was distributed to hundreds of patients after ransom demands were not met. The broader campaign exposed Social Security numbers, addresses, dates of birth, and healthcare information, and one attack forced a government entity’s 911 emergency system offline.

The group is described as hierarchical, operating largely from Russia, including from an office building in St. Petersburg, and using companies registered in Russia, Europe, and the United States to obscure operations. Members were reportedly Russian or Russia-based, and the organization allegedly included former Russian law enforcement officers who helped access government databases and connections. The content attributes TommyLeaks branding to this ecosystem alongside Conti, Karakurt, Royal, and Akira, and notes one later case in which a follow-on extortion actor incorrectly attributed an earlier Royal compromise to the TommyLeaks ransomware group.

High-confidence impact figures in the content state that attacks on 13 victims caused more than $56 million in losses, including about $2.8 million in ransom payments, while an additional 41 companies paid about $13 million. The total losses associated with the organization during the relevant period were estimated to likely reach hundreds of millions of dollars.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
MITRE ATT&CK

Techniques & procedures

1 distinct technique documented for this family, organized by ATT&CK tactic.

Impact

1 technique
T1657Financial TheftEvidence1

When he failed in extracting a ransom from this victim, he urged coconspirators to be “DESTROYERS” and to leak or sell copies of these pediatric health records to sow fear among future victims. | During the time of Zolotarjovs’s active participation ... the organization stole data from over 54 companies ... Zolotarjovs was primarily responsible for escalating pressure on victims who initially resisted prompt payment of the organization’s ransom demands. Zolotarjovs analyzed stolen data, researched victim companies, and exploited his access to particularly sensitive and extremely personal information.

ACTIVITY FEED

Recent activity

6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

6 SOURCESView more in app
cyber security newsNews
May 6, 2026
Member of Prolific Russian Ransomware Group Sentenced to 102 Months in Prison

A ransomware/extortion brand named as one of the syndicate's operating brands.

Read more
cyberscoopNews
May 5, 2026
Latvian national sentenced for ransomware attacks run by former Conti leaders | CyberScoop

A name used by the extortion crew in ransom notes during its ransomware and data-leak operations.

Read more
itproNews
May 5, 2026
Ransomware negotiator sentenced for role in major cyber crime group | IT Pro

Named as one of the aliases or brands used by a ransomware gang linked to former Conti leaders for data theft and extortion operations.

Read more
thecyberexpress com vulnerabilitiesNews
May 5, 2026
Ransomware Organization Sentencing: Key Operative Jailed

Ransomware brand used by the Russian-linked cybercrime organization in extortion and stolen-data pressure campaigns.

Read more
+2 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping1

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.