Friday, November 15, 2024
HomeCyber Security NewsSnatch Ransomware Group Leaked User's Location and Internal Data

Snatch Ransomware Group Leaked User’s Location and Internal Data

Published on

The Snatch Ransomware group is considered dangerous due to its advanced techniques and ability to evade detection. 

Security systems find it difficult to identify and stop such assaults since they use techniques like file encryption and memory injection to avoid detection.

Recently, the cybersecurity analysts at KrebsOnSecurity discovered that the Snatch ransomware group’s victim-shaming site exposes its location, operations, and visitor IP addresses, revealing its use of Google ads for malware distribution.

- Advertisement - SIEM as a Service

Snatch Exposes Data

During the malware distribution, the malware was disguised as free popular software like-

Snatch ransomware, seen since 2018, leaks data from non-paying victims on both open and darknet sites via Tor. Snatch’s darknet site reveals user IP addresses on its ‘server status’ page.

Victim shaming website for the Snatch ransomware gang
Victim shaming website for the Snatch ransomware gang (Source – KrebsOnSecurity)

Snatch’s darknet site attracts thousands of visitors, primarily from Russian IP addresses hosting its clear web domains.

Server status page
Server status page (Source –  KrebsOnSecurity)

Snatch Ransomware Data Exposure

The most active IP, 193.108.114[.]41 in Yekaterinburg, Russia, hosts various Snatch domains. Another frequent IP, 194.168.175[.]226 with Matrix Telekom, also hosts Snatch domains and phishing sites for brands like-

  • Amazon
  • Cashapp

IP 80.66.64[.]15 in Moscow frequently accessed Snatch’s darknet site and hosted similar-looking domains. These domains were registered to Mihail Kolesnikov, a name linked to phishing domains from malicious Google ads.

Kolesnikov, likely an alias associated with over 1,300 domains, has some advertising escort services in U.S. cities, raising questions about ransomware victim sourcing.

Recent phishing domains under Mihail Kolesnikov mimic major software companies. Trustwave Spiderlabs found Kolesnikov’s domains distributing Rilide trojan in August 2023. 

Multiple groups may use these domains for phishing and spreading information-stealing malware, as warned by Spamhaus in February 2023.

Victims searching for Microsoft Teams on Google saw spoofed ads at the top, leading to a malicious domain registered to Kolesnikov. Clicking on the ad downloaded IcedID malware, known for stealing browser passwords and tokens.

Spoofed ads
Spoofed ads (Source – KrebsOnSecurity)

Cybercriminals may offer ‘malvertising as a service’ on the dark web, creating and selling software-themed phishing domains to others. 

The @htmalgae, the researcher who alerted KrebsOnSecurity about Snatch’s exposed ‘server status’ page, also discovered the 8Base ransomware gang’s development-mode victim shaming site.

The 8Base ransomware gang’s oversight exposed its Russian site and a Moldovan programmer’s identity. Ironically, a group shaming others for data protection failed to protect its own data. 

The malware targets Windows, but a Mac-based trojan, AtomicStealer, is advertised through similar-sounding domains and malicious Google ads.

Security analysts urged to stay cautious, especially with cracked software and rogue ads masquerading as search results. 

Not only that, they also recommended that before downloading or installing anything, make sure to verify the website’s legitimacy.

Protect yourself from vulnerabilities using Patch Manager Plus to quickly patch over 850 third-party applications. Take advantage of the free trial to ensure 100% security.

Tushar Subhra
Tushar Subhra
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

Critical TP-Link DHCP Vulnerability Let Attackers Execute Arbitrary Code Remotely

A critical security flaw has been uncovered in certain TP-Link routers, potentially allowing malicious...

Chinese SilkSpecter Hackers Attacking Black Friday Shoppers

SilkSpecter, a Chinese financially motivated threat actor, launched a sophisticated phishing campaign targeting e-commerce...

Cybercriminals Launch SEO Poisoning Attack to Lure Shoppers to Fake Online Stores

The research revealed how threat actors exploit SEO poisoning to redirect unsuspecting users to...

Black Basta Ransomware Leveraging Social Engineering For Malware Deployment

Black Basta, a prominent ransomware group, has rapidly gained notoriety since its emergence in...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Critical TP-Link DHCP Vulnerability Let Attackers Execute Arbitrary Code Remotely

A critical security flaw has been uncovered in certain TP-Link routers, potentially allowing malicious...

Chinese SilkSpecter Hackers Attacking Black Friday Shoppers

SilkSpecter, a Chinese financially motivated threat actor, launched a sophisticated phishing campaign targeting e-commerce...

Cybercriminals Launch SEO Poisoning Attack to Lure Shoppers to Fake Online Stores

The research revealed how threat actors exploit SEO poisoning to redirect unsuspecting users to...