TommyLeaks

TommyLeaks is a ransomware/extortion brand referenced by the U.S. Department of Justice as one of several brands used by a Russia-linked cybercrime organization tied to former Conti members. In reporting on the prosecution of Deniss Zolotarjovs, DOJ said brands used during his involvement included Conti, Karakurt, Royal, TommyLeaks, SchoolBoys Ransomware, and Akira. Zolotarjovs was described as a negotiator and strategist active from approximately June 2021 to August 2023, during which the organization stole data from more than 54 companies and caused over $56 million in losses. He was also associated with attacks attributed to Conti, Royal, TommyLeaks, SchoolBoys Ransomware, and Akira. The broader organization’s activity, as described in the supporting content, involved data theft and extortion against businesses, government entities, and a pediatric healthcare provider, including threats to leak or sell stolen data. Reported tradecraft associated in the content with the linked Karakurt operation included use of stolen VPN credentials for initial access and tools such as Cobalt Strike, AnyDesk, Mimikatz, PowerShell, 7zip, WinZip, Rclone, FileZilla, and Mega.io. Ransom demands cited in joint U.S. government reporting ranged from $25,000 to $13 million in Bitcoin. The content does not establish TommyLeaks as a distinct standalone group separate from these overlapping brands. It also notes one case in which a follow-on extortion actor calling itself Ethical Side Group falsely attributed an earlier compromise to TommyLeaks when Arctic Wolf assessed the original incident involved Royal ransomware instead.