Snatch Ransomware Group Leaked User’s Location and Internal Data

The Snatch Ransomware group is considered dangerous due to its advanced techniques and ability to evade detection. 

Security systems find it difficult to identify and stop such assaults since they use techniques like file encryption and memory injection to avoid detection.

Recently, the cybersecurity analysts at KrebsOnSecurity discovered that the Snatch ransomware group’s victim-shaming site exposes its location, operations, and visitor IP addresses, revealing its use of Google ads for malware distribution.

Snatch Exposes Data

During the malware distribution, the malware was disguised as free popular software like-

• Microsoft Teams
• Adobe Reader
• Mozilla Thunderbird
• Discord

Snatch ransomware, seen since 2018, leaks data from non-paying victims on both open and darknet sites via Tor. Snatch’s darknet site reveals user IP addresses on its ‘server status’ page.

Snatch’s darknet site attracts thousands of visitors, primarily from Russian IP addresses hosting its clear web domains.

Snatch Ransomware Data Exposure

The most active IP, 193.108.114[.]41 in Yekaterinburg, Russia, hosts various Snatch domains. Another frequent IP, 194.168.175[.]226 with Matrix Telekom, also hosts Snatch domains and phishing sites for brands like-

• Amazon
• Cashapp

IP 80.66.64[.]15 in Moscow frequently accessed Snatch’s darknet site and hosted similar-looking domains. These domains were registered to Mihail Kolesnikov, a name linked to phishing domains from malicious Google ads.

Kolesnikov, likely an alias associated with over 1,300 domains, has some advertising escort services in U.S. cities, raising questions about ransomware victim sourcing.

Recent phishing domains under Mihail Kolesnikov mimic major software companies. Trustwave Spiderlabs found Kolesnikov’s domains distributing Rilide trojan in August 2023. 

Multiple groups may use these domains for phishing and spreading information-stealing malware, as warned by Spamhaus in February 2023.

Victims searching for Microsoft Teams on Google saw spoofed ads at the top, leading to a malicious domain registered to Kolesnikov. Clicking on the ad downloaded IcedID malware, known for stealing browser passwords and tokens.

Cybercriminals may offer ‘malvertising as a service’ on the dark web, creating and selling software-themed phishing domains to others. 

The @htmalgae, the researcher who alerted KrebsOnSecurity about Snatch’s exposed ‘server status’ page, also discovered the 8Base ransomware gang’s development-mode victim shaming site.

The 8Base ransomware gang’s oversight exposed its Russian site and a Moldovan programmer’s identity. Ironically, a group shaming others for data protection failed to protect its own data. 

The malware targets Windows, but a Mac-based trojan, AtomicStealer, is advertised through similar-sounding domains and malicious Google ads.

Security analysts urged to stay cautious, especially with cracked software and rogue ads masquerading as search results. 

Not only that, they also recommended that before downloading or installing anything, make sure to verify the website’s legitimacy.

Protect yourself from vulnerabilities using Patch Manager Plus to quickly patch over 850 third-party applications. Take advantage of the free trial to ensure 100% security.