SchoolBoys Ransomware
SchoolBoys Ransomware is a ransomware/extortion brand used by a Russian-linked cybercrime organization associated with former Conti leaders or members. According to the provided reporting, the organization operated from approximately June 2021 through August 2023 and used multiple names in ransom notes and operations, including Conti, Karakurt, Royal, TommyLeaks, SchoolBoys Ransomware, and Akira. The group targeted more than 54 companies worldwide, including many in the United States, and caused at least $56 million in documented losses across 13 victims, with additional ransom payments of about $13 million from 41 more victims; authorities estimated total losses likely reached hundreds of millions of dollars.
The organization conducted data theft and extortion, with operators analyzing stolen data, researching victims, and using highly sensitive personal information to increase pressure on victims to pay. Reported exposed data included Social Security numbers, addresses, dates of birth, and healthcare information. In one cited case involving a pediatric healthcare provider, a member of the group used stolen children’s health records to intensify extortion pressure and, when payment was not made, encouraged leaking or selling the data; sensitive records were also distributed to hundreds of patients. The group also reportedly disrupted a government entity’s 911 emergency system.
The broader organization was described as hierarchical, composed largely of Russian or Russia-based members, and at times operating from an office in St. Petersburg. It allegedly used front companies in Russia, Europe, and the United States to obscure operations, and reporting states that some members were former Russian law enforcement officers who used official databases and connections to intimidate detractors and identify recruits. High-confidence attribution in the provided content links SchoolBoys Ransomware as one of several brands used by this Conti-linked syndicate rather than as a distinct standalone malware family. No specific technical indicators of compromise, file hashes, domains, or malware execution details were provided in the content.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Recent activity
6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A ransomware brand operated by the syndicate during the period described.
A ransomware brand/name used by the same extortion crew in ransom notes.
Named as one of the ransomware brands associated with a group led by former Conti members and engaged in extortion using stolen data.
Ransomware brand used by the Russian-linked cybercrime organization in attacks and extortion operations.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.