Friday, December 8, 2023

Snatch Ransomware Group Leaked User’s Location and Internal Data

The Snatch Ransomware group is considered dangerous due to its advanced techniques and ability to evade detection. 

Security systems find it difficult to identify and stop such assaults since they use techniques like file encryption and memory injection to avoid detection.

Recently, the cybersecurity analysts at KrebsOnSecurity discovered that the Snatch ransomware group’s victim-shaming site exposes its location, operations, and visitor IP addresses, revealing its use of Google ads for malware distribution.


Deploy Advanced AI-Powered Email Security Solution

Implementing AI-Powered Email security solutions “Trustifi” can secure your business from today’s most dangerous email threats, such as Email Tracking, Blocking, Modifying, Phishing, Account Take Over, Business Email Compromise, Malware & Ransomware

Snatch Exposes Data

During the malware distribution, the malware was disguised as free popular software like-

Snatch ransomware, seen since 2018, leaks data from non-paying victims on both open and darknet sites via Tor. Snatch’s darknet site reveals user IP addresses on its ‘server status’ page.

Victim shaming website for the Snatch ransomware gang
Victim shaming website for the Snatch ransomware gang (Source – KrebsOnSecurity)

Snatch’s darknet site attracts thousands of visitors, primarily from Russian IP addresses hosting its clear web domains.

Server status page
Server status page (Source –  KrebsOnSecurity)

Snatch Ransomware Data Exposure

The most active IP, 193.108.114[.]41 in Yekaterinburg, Russia, hosts various Snatch domains. Another frequent IP, 194.168.175[.]226 with Matrix Telekom, also hosts Snatch domains and phishing sites for brands like-

  • Amazon
  • Cashapp

IP 80.66.64[.]15 in Moscow frequently accessed Snatch’s darknet site and hosted similar-looking domains. These domains were registered to Mihail Kolesnikov, a name linked to phishing domains from malicious Google ads.

Kolesnikov, likely an alias associated with over 1,300 domains, has some advertising escort services in U.S. cities, raising questions about ransomware victim sourcing.

Recent phishing domains under Mihail Kolesnikov mimic major software companies. Trustwave Spiderlabs found Kolesnikov’s domains distributing Rilide trojan in August 2023. 

Multiple groups may use these domains for phishing and spreading information-stealing malware, as warned by Spamhaus in February 2023.

Victims searching for Microsoft Teams on Google saw spoofed ads at the top, leading to a malicious domain registered to Kolesnikov. Clicking on the ad downloaded IcedID malware, known for stealing browser passwords and tokens.

Spoofed ads
Spoofed ads (Source – KrebsOnSecurity)

Cybercriminals may offer ‘malvertising as a service’ on the dark web, creating and selling software-themed phishing domains to others. 

The @htmalgae, the researcher who alerted KrebsOnSecurity about Snatch’s exposed ‘server status’ page, also discovered the 8Base ransomware gang’s development-mode victim shaming site.

The 8Base ransomware gang’s oversight exposed its Russian site and a Moldovan programmer’s identity. Ironically, a group shaming others for data protection failed to protect its own data. 

The malware targets Windows, but a Mac-based trojan, AtomicStealer, is advertised through similar-sounding domains and malicious Google ads.

Security analysts urged to stay cautious, especially with cracked software and rogue ads masquerading as search results. 

Not only that, they also recommended that before downloading or installing anything, make sure to verify the website’s legitimacy.

Protect yourself from vulnerabilities using Patch Manager Plus to quickly patch over 850 third-party applications. Take advantage of the free trial to ensure 100% security.


Latest articles

Exploitation Methods Used by PlugX Malware Revealed by Splunk Research

PlugX malware is sophisticated in evasion, as it uses the following techniques to avoid...

TA422 Hackers Attack Organizations Using Outlook & WinRAR Vulnerabilities

Hackers exploit Outlook and WinRAR vulnerabilities because these widely used software programs are lucrative...

Bluetooth keystroke-injection Flaw: A Threat to Apple, Linux & Android Devices

An unauthenticated Bluetooth keystroke-injection vulnerability that affects Android, macOS, and iOS devices has been...

Atlassian Patches RCE Flaw that Affected Multiple Products

Atlassian has been discovered with four new vulnerabilities associated with Remote Code Execution in...

Reflectiz Introduces AI-powered Insights on Top of Its Smart Alerting System

Reflectiz, a cybersecurity company specializing in continuous web threat management, proudly introduces a new...

SLAM Attack Gets Root Password Hash in 30 Seconds

Spectre is a class of speculative execution vulnerabilities in microprocessors that can allow threat...

Akira Ransomware Exploiting Zero-day Flaws For Organization Network Access

The Akira ransomware group, which first appeared in March 2023, has been identified as...
Tushar Subhra Dutta
Tushar Subhra Dutta
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Endpoint Strategies for 2024 and beyond

Converge and Defend

What's the pulse of Unified Endpoint Management and Security (UEMS) in Europe? Join us live to uncover the strategies that are defining endpoint security in the region.

Related Articles