A Closer Look at the Snatch Data Ransom Group

Read Time:8 Minute, 32 Second

Earlier this week, KrebsOnSecurity revealed that the darknet website for the Snatch ransomware group was leaking data about its users and the crime gang’s internal operations. Today, we’ll take a closer look at the history of Snatch, its alleged founder, and their claims that everyone has confused them with a different, older ransomware group by the same name.

According to a September 20, 2023 joint advisory from the FBI and the U.S. Cybersecurity and Infrastructure Security Administration (CISA), Snatch was originally named Team Truniger, based on the nickname of the group’s founder and organizer — Truniger.

The FBI/CISA report says Truniger previously operated as an affiliate of GandCrab, an early ransomware-as-a-service offering that closed up shop after several years and claims to have extorted more than $2 billion from victims. GandCrab dissolved in July 2019, and is thought to have become “REvil,” one of the most ruthless and rapacious Russian ransomware groups of all time.

The government says Snatch used a customized ransomware variant notable for rebooting Microsoft Windows devices into Safe Mode — enabling the ransomware to circumvent detection by antivirus or endpoint protection — and then encrypting files when few services are running.

“Snatch threat actors have been observed purchasing previously stolen data from other ransomware variants in an attempt to further exploit victims into paying a ransom to avoid having their data released on Snatch’s extortion blog,” the FBI/CISA alert reads. It continues:

“Prior to deploying the ransomware, Snatch threat actors were observed spending up to three months on a victim’s system. Within this timeframe, Snatch threat actors exploited the victim’s network moving laterally across the victim’s network with RDP for the largest possible deployment of ransomware and searching for files and folders for data exfiltration followed by file encryption.”

New York City-based cyber intelligence firm Flashpoint said the Snatch ransomware group was created in 2018, based on Truniger’s recruitment both on Russian language cybercrime forums and public Russian programming boards. Flashpoint said Truniger recruited “pen testers” for a new, then-unnamed cybercrime group, by posting their private Jabber instant messenger contact details on multiple Russian language coding forums, as well as on Facebook.

“The command requires Windows system administrators,” Truniger’s ads explained. “Experience in backup, increase privileges, mikicatz, network. Details after contacting on jabber: truniger@xmpp[.]jp.”

In at least some of those recruitment ads — like one in 2018 on the forum sysadmins[.]ru –the username promoting Truniger’s contact information was Semen7907. In April 2020, Truniger was banned from two of the top Russian cybercrime forums, where members from both forums confirmed that Semen7907 was one of Truniger’s known aliases.

[SIDE NOTE: Truniger was banned because he purchased credentials to a company from a network access broker on the dark web, and although he promised to share a certain percentage of whatever ransom amount Truniger’s group extracted from the victim, Truniger paid the access broker just a few hundred dollars off of a six-figure ransom].

According to Constella Intelligence, a data breach and threat actor research platform, a user named Semen7907 registered in 2017 on the Russian-language programming forum pawno[.]ru using the email address tretyakov-files@yandex.ru.

That same email address was assigned to the user “Semen-7907” on the now defunct gaming website tunngle.net, which suffered a data breach in 2020. Semen-7907 registered at Tunngle from the Internet address 31.192.175[.]63, which is in Yekaterinburg, RU.

Constella reports that tretyakov-files@yandex.ru was also used to register an account at the online game stalker[.]so with the nickname Trojan7907.

There is a Skype user by the handle semen7907, and which has the name Semyon Tretyakov from Yekaterinburg, RU. Constella also found a breached record from the Russian mobile telephony site tele2[.]ru, which shows that a user from Yekaterinburg registered in 2019 with the name Semyon Sergeyvich Tretyakov and email address tretyakov-files@ya.ru.

The above accounts, as well as the email address semen_7907@mail.ru, were all registered or accessed from the same Yekaterinburg Internet address mentioned previously: 31.192.175.63. The Russian mobile phone number associated with that tele2[.]ru account is connected to the Telegram account “Perchatka,” (“glove” in Russian).

BAD BEATS

Reached via Telegram, Perchatka (a.k.a. Mr. Tretyakov) said he was not a cybercriminal, and that he currently has a full-time job working in IT at a major company (he declined to specify which).

Presented with the information gathered for this report (and more that is not published here), Mr. Tretyakov acknowledged that Semen7907 was his account on sysadmins[.]ru, the very same account Truniger used to recruit hackers for the Snatch Ransomware group back in 2018.

However, he claims that he never made those posts, and that someone else must have assumed control over his sysadmins[.]ru account and posted as him. Mr. Tretyakov said that KrebsOnSecurity’s outreach this week was the first time he became aware that his sysadmins[.]ru account was used without his permission.

Mr. Tretyakov suggested someone may have framed him, pointing to an August 2023 story at a Russian news outlet about the reported hack and leak of the user database from sysadmins[.]ru, allegedly at the hands of a pro-Ukrainian hacker group called CyberSec.

“Recently, because of the war in Ukraine, a huge number of databases have been leaked and finding information about a person is not difficult,” Tretyakov said. “I’ve been using this login since about 2013 on all the forums where I register, and I don’t always set a strong password. If I had done something illegal, I would have hidden much better :D.”

[For the record, KrebsOnSecurity does not generally find this to be the case, as the ongoing Breadcrumbs series will attest.]

A Semyon Sergeyvich Tretyakov is listed as the composer of a Russian-language rap song called “Parallels,” which seems to be about the pursuit of a high-risk lifestyle online. A snippet of the song goes:

“Someone is on the screen, someone is on the blacklist
I turn on the timer and calculate the risks
I don’t want to stay broke And in the pursuit of money
I can’t take these zeros Life is like a zebra –
everyone wants to be first Either the stripes are white,
or we’re moving through the wilds I won’t waste time.”

Mr. Tretyakov said he was not the author of that particular rhyme, but that he has been known to record his own rhythms.

“Sometimes I make bad beats,” he said. “Soundcloud.”

NEVER MIND THE DOMAIN NAME

The FBI/CISA alert on Snatch Ransomware (PDF) includes an interesting caveat: It says Snatch actually deploys ransomware on victim systems, but it also acknowledges that the current occupants of Snatch’s dark and clear web domains call themselves Snatch Team, and maintain that they are not the same people as Snatch Ransomware from 2018.

Here’s the interesting bit from the FBI/CISA report:

“Since November 2021, an extortion site operating under the name Snatch served as a clearinghouse for data exfiltrated or stolen from victim companies on Clearnet and TOR hosted by a bulletproof hosting service. In August 2023, individuals claiming to be associated with the blog gave a media interview claiming the blog was not associated with Snatch ransomware and “none of our targets has been attacked by Ransomware Snatch…”, despite multiple confirmed Snatch victims’ data appearing on the blog alongside victims associated with other ransomware groups, notably Nokoyawa and Conti.”

Avid readers will recall a story here earlier this week about Snatch Team’s leaky darknet website based in Yekaterinburg, RU that exposed their internal operations and Internet addresses of their visitors. The leaked data suggest that Snatch is one of several ransomware groups using paid ads on Google.com to trick people into installing malware disguised as popular free software, such as Microsoft TeamsAdobe ReaderMozilla Thunderbird, and Discord.

Snatch Team claims to deal only in stolen data — not in deploying ransomware malware to hold systems hostage.

Representatives of the Snatch Team recently answered questions from Databreaches.net about the claimed discrepancy in the FBI/CISA report.

“First of all, we repeat once again that we have nothing to do with Snatch Ransomware, we are Security Notification Attachment, and we have never violated the terms of the concluded transactions, because our honesty and openness is the guarantee of our income,” the Snatch Team wrote to Databreaches.net in response to questions.

But so far the Snatch Team has not been able to explain why it is using the very same domain names that the Snatch ransomware group used?

Their claim is even more unbelievable because the Snatch Team members told Databreaches.net they didn’t even know that a ransomware group with that name already existed when they initially formed just two years ago.

This is difficult to swallow because even if they were a separate group, they’d still need to somehow coordinate the transfer of the Ransomware group’s domains on the clear and dark webs. If they were hoping for a fresh start or separation, why not just pick a new name and new web destination?

“Snatchteam[.]cc is essentially a data market,” they continued. “The only thing to underline is that we are against selling leaked information, sticking to the idea of free access. Absolutely any team can come to us and offer information for publication. Even more, we have heard rumors that a number of ransomware teams scare their clients that they will post leaked information on our resource. We do not have our own ransomware, but we are open to cooperation on placement and monetization of dates (sic).”

Maybe Snatch Team does not wish to be associated with Snatch Ransomware because they currently believe stealing data and then extorting victim companies for money is somehow less evil than infecting all of the victim’s servers and backups with ransomware.

It is also likely that Snatch Team is well aware of how poorly some of their founders covered their tracks online, and are hoping for a do-over on that front.

Read More

CVE-2022-4956

Read Time:24 Second

A vulnerability classified as critical has been found in Caphyon Advanced Installer 19.7. This affects an unknown part of the component WinSxS DLL Handler. The manipulation leads to uncontrolled search path. Attacking locally is a requirement. The exploit has been disclosed to the public and may be used. Upgrading to version 19.7.1 is able to address this issue. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-240903.

Read More

chromium-117.0.5938.132-2.fc39

Read Time:29 Second

FEDORA-2023-c890266d3f

Packages in this update:

chromium-117.0.5938.132-2.fc39

Update description:

update to 117.0.5938.132. Fixes following security issues:

CVE-2023-5129 CVE-2023-5186

Update to 117.0.5938.92.

update to 117.0.5938.88

update to 117.0.5938.62. Fixes following security issues:

CVE-2023-4900 CVE-2023-4901 CVE-2023-4902 CVE-2023-4903 CVE-2023-4904
CVE-2023-4905 CVE-2023-4906 CVE-2023-4907 CVE-2023-4908 CVE-2023-4909

update to 116.0.5845.187. Fixes following security issue: CVE-2023-4863

Read More

chromium-117.0.5938.132-1.el8

Read Time:42 Second

FEDORA-EPEL-2023-8f3e1b6f78

Packages in this update:

chromium-117.0.5938.132-1.el8

Update description:

update to 117.0.5938.132. Fixes following security issues:

CVE-2023-5129 CVE-2023-5186

Update to 117.0.5938.92.

update to 117.0.5938.88

update to 117.0.5938.62. Fixes following security issues:

CVE-2023-4900 CVE-2023-4901 CVE-2023-4902 CVE-2023-4903 CVE-2023-4904
CVE-2023-4905 CVE-2023-4906 CVE-2023-4907 CVE-2023-4908 CVE-2023-4909

update to 116.0.5845.187. Fixes following security issue: CVE-2023-4863

update to 116.0.5845.179. Fixes following security issues:
CVE-2023-4427 CVE-2023-4428 CVE-2023-4429 CVE-2023-4430 CVE-2023-4431 CVE-2023-4572 CVE-2023-4761 CVE-2023-4762 CVE-2023-4763 CVE-2023-4764

Read More

chromium-117.0.5938.132-1.el7

Read Time:42 Second

FEDORA-EPEL-2023-edc9c74369

Packages in this update:

chromium-117.0.5938.132-1.el7

Update description:

update to 117.0.5938.132. Fixes following security issues:

CVE-2023-5129 CVE-2023-5186

Update to 117.0.5938.92.

update to 117.0.5938.88

update to 117.0.5938.62. Fixes following security issues:

CVE-2023-4900 CVE-2023-4901 CVE-2023-4902 CVE-2023-4903 CVE-2023-4904
CVE-2023-4905 CVE-2023-4906 CVE-2023-4907 CVE-2023-4908 CVE-2023-4909

update to 116.0.5845.187. Fixes following security issue: CVE-2023-4863

update to 116.0.5845.179. Fixes following security issues:
CVE-2023-4427 CVE-2023-4428 CVE-2023-4429 CVE-2023-4430 CVE-2023-4431 CVE-2023-4572 CVE-2023-4761 CVE-2023-4762 CVE-2023-4763 CVE-2023-4764

Read More

chromium-117.0.5938.132-1.el9

Read Time:42 Second

FEDORA-EPEL-2023-cca1f87440

Packages in this update:

chromium-117.0.5938.132-1.el9

Update description:

update to 117.0.5938.132. Fixes following security issues:

CVE-2023-5129 CVE-2023-5186

Update to 117.0.5938.92.

update to 117.0.5938.88

update to 117.0.5938.62. Fixes following security issues:

CVE-2023-4900 CVE-2023-4901 CVE-2023-4902 CVE-2023-4903 CVE-2023-4904
CVE-2023-4905 CVE-2023-4906 CVE-2023-4907 CVE-2023-4908 CVE-2023-4909

update to 116.0.5845.187. Fixes following security issue: CVE-2023-4863

update to 116.0.5845.179. Fixes following security issues:
CVE-2023-4427 CVE-2023-4428 CVE-2023-4429 CVE-2023-4430 CVE-2023-4431 CVE-2023-4572 CVE-2023-4761 CVE-2023-4762 CVE-2023-4763 CVE-2023-4764

Read More

Unprotected Mobile Devices

Read Time:6 Minute, 14 Second

In the ever-growing digital age, our mobile devices contain an alarming amount of personal, sensitive data. From emails, social media accounts, banking applications to payment apps, our personal and financial lives are increasingly entwined with the convenience of online, mobile platforms. However, despite the increasing threat to cyber security, it appears many of us are complacent about protecting our mobile devices.

Survey revealed that many mobile users still use easy-to-remember and easy-to-guess passwords. With such an increasing dependence on mobile devices to handle our daily tasks, it seems unimaginable that many of us leave our important personal data unguarded. Theft or loss of an unsecured mobile device can, and often does, result in a catastrophic loss of privacy and financial security.

Mobile Device Security

The unfortunate reality of our digital era is that devices are lost, misplaced, or stolen every day. A mobile device without password protection is a gold mine for anyone with malicious intent. According to a global survey by McAfee and One Poll, many consumers are largely unconcerned about the security of their personal data stored on mobile devices. To illustrate, only one in five respondents had backed up data on their tablet or smartphone. Even more concerning, 15% admitted they saved password information on their phone.

Such statistics are troubling for several reasons. The most obvious is the risk of personal information —including banking details and online login credentials— falling into the wrong hands. A lost or stolen device is not just a device lost— it’s potentially an identity, a bank account, or worse. The lack of urgency in securing data on mobile devices speaks to a broad consumer misunderstanding about the severity of the threats posed by cybercriminals and the ease with which they can exploit an unprotected device.

→ Dig Deeper: McAfee 2023 Consumer Mobile Threat Report

The Gender Disparity in Mobile Device Security

Perhaps one of the most surprising findings of the survey is the difference in mobile security behaviors between men and women. This difference illustrates not just a disparity in the type of personal information each group holds dear, but also the degree of risk each is willing to accept with their mobile devices.

Broadly speaking, men tend to place greater value on the content stored on their devices, such as photos, videos, and contact lists. Women, on the other hand, appear more concerned about the potential loss of access to social media accounts and personal communication tools like email. They are statistically more likely to experience online harassment and privacy breaches. This could explain why they are more concerned about the security of their social media accounts, as maintaining control over their online presence can be a way to protect against harassment and maintain a sense of safety.

The loss of a mobile device, which for many individuals has become an extension of their social identity, can disrupt daily life significantly. This distinction illustrates that the consequences of lost or stolen mobile devices are not just financial, but social and emotional as well.

Risky Behaviors Persist

Despite the differences in what we value on our mobile devices, the survey showed a worrying level of risky behavior from both genders. Over half (55%) of respondents admitted sharing their passwords or PIN with others, including their children. This behavior not only leaves devices and data at risk of unauthorized access but also contributes to a wider culture of complacency around mobile security.

Password protection offers a fundamental layer of security for devices, yet many people still choose convenience over safety. Setting a password or PIN isn’t a failsafe method for keeping your data safe. However, it is a simple and effective starting point in the broader effort to protect our digital lives.

→ Dig Deeper: Put a PIN on It: Securing Your Mobile Devices

Steps to Mobile Device Security

While the survey results raise an alarm, the good news is that we can turn things around. It all begins with acknowledging the risks of leaving our mobile devices unprotected. There are simple steps that can be taken to ramp up the security of your devices and protect your personal information.

First and foremost, password-protect all your devices. This means going beyond your mobile phone to include tablets and any other portable, internet-capable devices you may use. And, while setting a password, avoid easy ones like “1234” or “1111”. These are the first combinations a hacker will try. The more complex your password is, the sturdier a barrier it forms against unauthorized access.

Another important step is to avoid using the “remember me” function on your apps or mobile web browser. Although it might seem convenient to stay logged into your accounts for quick access, this considerably amplifies the risk if your device gets stolen or lost. It’s crucial to ensure you log out of your accounts whenever not in use. This includes email, social media, banking, payment apps, and any other accounts linked to sensitive information.

McAfee Pro Tip: If your phone is lost or stolen, employing a combination of tracking your device, locking it remotely, and erasing its data can safeguard both your phone and the information it contains. Learn more tips on how to protect your mobile device from loss and theft.

Sharing your PIN or password is also a risky behavior that should be discouraged. Admittedly, this might be challenging to implement, especially with family members or close friends. But the potential harm it can prevent in the long run far outweighs the temporary convenience it might present.

Investing in Mobile Security Products

Having highlighted the importance of individual action towards secure mobile practices, it’s worth noting that investing in reliable security software can also make a world of difference. A mobile security product like McAfee Mobile Security, which offers anti-malware, web protection, and app protection, can provide a crucial extra layer of defense.

With app protection, not only are you alerted if your apps are accessing information on your mobile that they shouldn’t, but in the event that someone does unlock your device, your personal information remains safe by locking some or all of your apps. This means that even if your device falls into the wrong hands, they still won’t be able to access your crucial information.

It’s also critical to stay educated on the latest ways to protect your mobile device. Cyber threats evolve constantly, and awareness is your first line of defense. McAfee has designed a comprehensive approach to make the process of learning about mobile security not just informative but also engaging. Our array of resources includes a rich repository of blogs, insightful reports, and informative guides. These materials are meticulously crafted to provide users with a wealth of knowledge on how to protect their mobile devices, ensuring that the learning experience is not only informative but also engaging and enjoyable.

Final Thoughts

While the current state of mobile device security may seem concerning, it’s far from hopeless. By incorporating simple security practices such as setting complex passwords and avoiding shared access, we can significantly reduce the risk of unauthorized data access. Additionally, investing in trusted mobile security products like McAfee Mobile Security can provide a robust defense against advancing cyber threats. Remember, our digital lives mirror our real lives – just as we lock and secure our homes, so too must we protect our mobile devices.

The post Unprotected Mobile Devices appeared first on McAfee Blog.

Read More