New 'SnapMC' threat group steals data, then extorts victims for payment

So-called “double-tap” ransomware groups, which both encrypt and steal data and then threaten to publish the data without payment, have been on the rise for year. The appeal of such an attack is that the victim has to deal with systems being crippled and the threat of company secrets being exposed to all and sundry.

But what if a cyberthreat group just did away with the encryption side of ransomware, simply stole data and extorted the company for a ransom in return for not publishing the stolen data instead?

That’s the modus operandi of a threat group dubbed “SnapMC” detailed in a new report from NCC Group plc. Researchers at the company’s Research and Intelligence Fusion Team say they have observed an increasing number of data breach extortion cases and that, given the current threat landscape, the absence of ransomware is notable.

SnapMC has not been linked as yet to any known threat actors. The name is derived from the actor’s rapid attacks, generally completed in under 30 minutes, and the exfiltration tool mc.exe it uses.

In a typical SnapMC attack, the threat actors scan for multiple vulnerabilities in web service applications and virtual private networking solutions. The threat actor steals data from servers vulnerable to remote execution in Telerik UU for ASPX.NET and SQL injections.

Having gained access and stolen data, the group then sends extortion emails to victims. Typically, a victim is given 24 hours to contact SnapMC and 72 hours to negotiate a payment. SnapMC includes a list of stolen data as evidence that it has gained access to the victim’s infrastructure.

If the victim does not respond or pay, the actor threatens to publish, or immediately publishes, the stolen data and informs the victim’s customers and various media outlets.

Mitigation from attacks starts with addressing known vulnerabilities for which patches exist. “Patching in a timely manner and keeping (internet-connected) devices up-to-date is the most effective way to prevent falling victim to these types of attacks,” the researchers note.

Furthermore, it’s recommended to identify where vulnerable software resides in a network through vulnerability scanning. This includes third parties that supply software packers.

The researchers predict that “data breach extortion attacks will increase over time, as it takes less time, and even less technical in-depth knowledge or skill in comparison to a full-blown ransomware attack.”

Photo: Liz West/Flickr