The Snatch Ransomware group is considered dangerous due to its advanced techniques and ability to evade detection.
Security systems find it difficult to identify and stop such assaults since they use techniques like file encryption and memory injection to avoid detection.
Recently, the cybersecurity analysts at KrebsOnSecurity discovered that the Snatch ransomware group’s victim-shaming site exposes its location, operations, and visitor IP addresses, revealing its use of Google ads for malware distribution.
During the malware distribution, the malware was disguised as free popular software like-
Snatch ransomware, seen since 2018, leaks data from non-paying victims on both open and darknet sites via Tor. Snatch’s darknet site reveals user IP addresses on its ‘server status’ page.
Snatch’s darknet site attracts thousands of visitors, primarily from Russian IP addresses hosting its clear web domains.
The most active IP, 193.108.114[.]41 in Yekaterinburg, Russia, hosts various Snatch domains. Another frequent IP, 194.168.175[.]226 with Matrix Telekom, also hosts Snatch domains and phishing sites for brands like-
IP 80.66.64[.]15 in Moscow frequently accessed Snatch’s darknet site and hosted similar-looking domains. These domains were registered to Mihail Kolesnikov, a name linked to phishing domains from malicious Google ads.
Kolesnikov, likely an alias associated with over 1,300 domains, has some advertising escort services in U.S. cities, raising questions about ransomware victim sourcing.
Recent phishing domains under Mihail Kolesnikov mimic major software companies. Trustwave Spiderlabs found Kolesnikov’s domains distributing Rilide trojan in August 2023.
Multiple groups may use these domains for phishing and spreading information-stealing malware, as warned by Spamhaus in February 2023.
Victims searching for Microsoft Teams on Google saw spoofed ads at the top, leading to a malicious domain registered to Kolesnikov. Clicking on the ad downloaded IcedID malware, known for stealing browser passwords and tokens.
Cybercriminals may offer ‘malvertising as a service’ on the dark web, creating and selling software-themed phishing domains to others.
The @htmalgae, the researcher who alerted KrebsOnSecurity about Snatch’s exposed ‘server status’ page, also discovered the 8Base ransomware gang’s development-mode victim shaming site.
The 8Base ransomware gang’s oversight exposed its Russian site and a Moldovan programmer’s identity. Ironically, a group shaming others for data protection failed to protect its own data.
The malware targets Windows, but a Mac-based trojan, AtomicStealer, is advertised through similar-sounding domains and malicious Google ads.
Security analysts urged to stay cautious, especially with cracked software and rogue ads masquerading as search results.
Not only that, they also recommended that before downloading or installing anything, make sure to verify the website’s legitimacy.
Protect yourself from vulnerabilities using Patch Manager Plus to quickly patch over 850 third-party applications. Take advantage of the free trial to ensure 100% security.
A very important message from the Norwegian National Cyber Security Centre (NCSC) says that Secure Socket Layer/Transport Layer Security (SSL/TLS)…
Linux is widely used in numerous servers, cloud infrastructure, and Internet of Things devices, which makes it an attractive target…
ViperSoftX malware, known for stealing cryptocurrency information, now leverages Tesseract, an open-source OCR engine, to target infected systems, which extracts…
Santander has confirmed that there was a major data breach that affected its workers and customers in Spain, Uruguay, and…
The U.S. government has offered a prize of up to $5 million for information that leads to the arrest and…
Russia leverages a mix of state-backed Advanced Persistent Threat (APT) groups and financially motivated cybercriminals to achieve its strategic goals,…