Friday, October 4, 2024
HomeCyber Security NewsSnatch Ransomware Group Leaked User's Location and Internal Data

Snatch Ransomware Group Leaked User’s Location and Internal Data

Published on

The Snatch Ransomware group is considered dangerous due to its advanced techniques and ability to evade detection. 

Security systems find it difficult to identify and stop such assaults since they use techniques like file encryption and memory injection to avoid detection.

Recently, the cybersecurity analysts at KrebsOnSecurity discovered that the Snatch ransomware group’s victim-shaming site exposes its location, operations, and visitor IP addresses, revealing its use of Google ads for malware distribution.

- Advertisement - EHA

Snatch Exposes Data

During the malware distribution, the malware was disguised as free popular software like-

Snatch ransomware, seen since 2018, leaks data from non-paying victims on both open and darknet sites via Tor. Snatch’s darknet site reveals user IP addresses on its ‘server status’ page.

Victim shaming website for the Snatch ransomware gang
Victim shaming website for the Snatch ransomware gang (Source – KrebsOnSecurity)

Snatch’s darknet site attracts thousands of visitors, primarily from Russian IP addresses hosting its clear web domains.

Server status page
Server status page (Source –  KrebsOnSecurity)

Snatch Ransomware Data Exposure

The most active IP, 193.108.114[.]41 in Yekaterinburg, Russia, hosts various Snatch domains. Another frequent IP, 194.168.175[.]226 with Matrix Telekom, also hosts Snatch domains and phishing sites for brands like-

  • Amazon
  • Cashapp

IP 80.66.64[.]15 in Moscow frequently accessed Snatch’s darknet site and hosted similar-looking domains. These domains were registered to Mihail Kolesnikov, a name linked to phishing domains from malicious Google ads.

Kolesnikov, likely an alias associated with over 1,300 domains, has some advertising escort services in U.S. cities, raising questions about ransomware victim sourcing.

Recent phishing domains under Mihail Kolesnikov mimic major software companies. Trustwave Spiderlabs found Kolesnikov’s domains distributing Rilide trojan in August 2023. 

Multiple groups may use these domains for phishing and spreading information-stealing malware, as warned by Spamhaus in February 2023.

Victims searching for Microsoft Teams on Google saw spoofed ads at the top, leading to a malicious domain registered to Kolesnikov. Clicking on the ad downloaded IcedID malware, known for stealing browser passwords and tokens.

Spoofed ads
Spoofed ads (Source – KrebsOnSecurity)

Cybercriminals may offer ‘malvertising as a service’ on the dark web, creating and selling software-themed phishing domains to others. 

The @htmalgae, the researcher who alerted KrebsOnSecurity about Snatch’s exposed ‘server status’ page, also discovered the 8Base ransomware gang’s development-mode victim shaming site.

The 8Base ransomware gang’s oversight exposed its Russian site and a Moldovan programmer’s identity. Ironically, a group shaming others for data protection failed to protect its own data. 

The malware targets Windows, but a Mac-based trojan, AtomicStealer, is advertised through similar-sounding domains and malicious Google ads.

Security analysts urged to stay cautious, especially with cracked software and rogue ads masquerading as search results. 

Not only that, they also recommended that before downloading or installing anything, make sure to verify the website’s legitimacy.

Protect yourself from vulnerabilities using Patch Manager Plus to quickly patch over 850 third-party applications. Take advantage of the free trial to ensure 100% security.

Tushar Subhra
Tushar Subhra
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

Microsoft, DOJ Dismantle Domains Used by Russian FSB-Linked Hacking Group

Microsoft and the U.S. Department of Justice (DOJ) have successfully dismantled a network of...

Cloud Penetration Testing Checklist – 2024

Cloud Penetration Testing is a method of actively checking and examining the Cloud system...

Linux Malware perfctl Attacking Millions of Linux Servers

Researchers have uncovered a sophisticated Linux malware, dubbed "perfctl," actively targeting millions of Linux...

Doppler Launches ‘Change Requests’ to Strengthen Secrets Management Security with Audited Approvals

Doppler, the leading platform in secrets management, today announces the launch of Change Requests,...

Free Webinar

Decoding Compliance | What CISOs Need to Know

Non-compliance can result in substantial financial penalties, with average fines reaching up to $4.5 million for GDPR breaches alone.

Join us for an insightful panel discussion with Chandan Pani, CISO - LTIMindtree and Ashish Tandon, Founder & CEO – Indusface, as we explore the multifaceted role of compliance in securing modern enterprises.

Discussion points

The Role of Compliance
The Alphabet Soup of Compliance
Compliance
SaaS and Compliance
Indusface's Approach to Compliance

More like this

Microsoft, DOJ Dismantle Domains Used by Russian FSB-Linked Hacking Group

Microsoft and the U.S. Department of Justice (DOJ) have successfully dismantled a network of...

Linux Malware perfctl Attacking Millions of Linux Servers

Researchers have uncovered a sophisticated Linux malware, dubbed "perfctl," actively targeting millions of Linux...

Northern Ireland Police to Pay £750,000 Fine Following Data Breach

The Police Service of Northern Ireland (PSNI) has been ordered to pay a £750,000...