UPDATED 22:25 EDT / OCTOBER 13 2021


New ‘SnapMC’ threat group steals data, then extorts victims for payment

So-called “double-tap” ransomware groups, which both encrypt and steal data and then threaten to publish the data without payment, have been on the rise for year. The appeal of such an attack is that the victim has to deal with systems being crippled and the threat of company secrets being exposed to all and sundry.

But what if a cyberthreat group just did away with the encryption side of ransomware, simply stole data and extorted the company for a ransom in return for not publishing the stolen data instead?

That’s the modus operandi of a threat group dubbed “SnapMC” detailed in a new report from NCC Group plc. Researchers at the company’s Research and Intelligence Fusion Team say they have observed an increasing number of data breach extortion cases and that, given the current threat landscape, the absence of ransomware is notable.

SnapMC has not been linked as yet to any known threat actors. The name is derived from the actor’s rapid attacks, generally completed in under 30 minutes, and the exfiltration tool mc.exe it uses.

In a typical SnapMC attack, the threat actors scan for multiple vulnerabilities in web service applications and virtual private networking solutions. The threat actor steals data from servers vulnerable to remote execution in Telerik UU for ASPX.NET and SQL injections.

Having gained access and stolen data, the group then sends extortion emails to victims. Typically, a victim is given 24 hours to contact SnapMC and 72 hours to negotiate a payment. SnapMC includes a list of stolen data as evidence that it has gained access to the victim’s infrastructure.

If the victim does not respond or pay, the actor threatens to publish, or immediately publishes, the stolen data and informs the victim’s customers and various media outlets.

Mitigation from attacks starts with addressing known vulnerabilities for which patches exist. “Patching in a timely manner and keeping (internet-connected) devices up-to-date is the most effective way to prevent falling victim to these types of attacks,” the researchers note.

Furthermore, it’s recommended to identify where vulnerable software resides in a network through vulnerability scanning. This includes third parties that supply software packers.

The researchers predict that “data breach extortion attacks will increase over time, as it takes less time, and even less technical in-depth knowledge or skill in comparison to a full-blown ransomware attack.”

Photo: Liz West/Flickr

A message from John Furrier, co-founder of SiliconANGLE:

Show your support for our mission by joining our Cube Club and Cube Event Community of experts. Join the community that includes Amazon Web Services and Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger and many more luminaries and experts.

Join Our Community 

Click here to join the free and open Startup Showcase event.

“TheCUBE is part of re:Invent, you know, you guys really are a part of the event and we really appreciate your coming here and I know people appreciate the content you create as well” – Andy Jassy

We really want to hear from you, and we’re looking forward to seeing you at the event and in theCUBE Club.

Click here to join the free and open Startup Showcase event.