Ransomware Group: QILIN

VICTIM NAME: sperispa[.]com

NOTE: No files or stolen information are [exfiltrated/downloaded/taken/hosted/seen/reposted/disclosed] by RedPacket Security. Any legal issues relating to the content of the files should be directed at the attackers directly, not RedPacket Security. This blog is simply posting an editorial news post informing that a company has fallen victim to a ransomware attack. RedPacket Security is in no way affiliated or aligned with any ransomware threat actors or groups and will not host infringing content. The information on this page is fully automated and redacted whilst being scraped directly from the QILIN Onion Dark Web Tor Blog page.

AI Generated Summary of the Ransomware Leak Page

On September 25, 2025, a ransomware leak post attributed to the actor group Qilin identified sperispa[.]com as a victim. The entry describes SPERI SPA as an Italy-based provider of architectural, environmental, and infrastructure services. The page frames the incident as a data-leak event rather than a pure encryption, consistent with double-extortion tactics, and includes a claim URL indicating ransom-related negotiations. The description references a project titled “Sustainable Management of Protected Areas in Mauritania – Fisheries Monitoring,” suggesting that some of the leaked materials may concern that initiative. Because no explicit compromise date is provided on the leak page, the posted date is treated as the post date for the leak.

The leak page presents a gallery of ten images, described in broad terms as screenshots of internal documents or materials. The images appear as thumbnails and are associated with a Tor onion service, though the exact image URLs are not disclosed in the public view. The body excerpt includes lines that reference contact channels and credentials (a Jabber address and an FTP login), but all personally identifiable information and sensitive details are redacted. The post also indicates the existence of a ransom-claim mechanism through a claim URL, while the page itself does not provide a direct data download or size figure for the exfiltrated data.

From a threat intelligence perspective, the leak underscores a conventional ransomware operation targeting sperispa[.]com. The combination of internal-document imagery, a contextual project reference, and a ransom-claim path aligns with common double-extortion patterns, illustrating how attackers leverage public leaks to pressure payment while potentially exposing sensitive project materials to stakeholders. The focus of this summary remains on sperispa[.]com, with other organizational mentions in the leak description not central to this assessment. The post date serves as the reference timestamp in lieu of a disclosed compromise date.