Researchers have discovered a new threat group called SnapMC, which has been stealing organizations' sensitive data and then threatening to release it unless they pay up.
In a recent analysis on the group, researchers with NCC Group said that SnapMC puts further pressure on victims by warning them that if the payment deadline is not met, they will release the exfiltrated data and alert media organizations and customers. SnapMC is one of many threat actors doubling down on extortion tactics, with attackers frequently using three or four different extortion techniques during a cyberattack to bully victims into paying.
“There are multiple reasons for the success of these attacks: First, regulation and public awareness make victims more inclined to have the certainty of containing the incident by paying,” said Christo Butcher, global head for threat intelligence at the NCC Group Research and Intelligence Fusion Team. “Second, the threat actors behind various data breach extortion attacks are gaining more experience with every breach and subsequent extortion negotiation, which allows them to improve their skills in both negotiating as well as understanding the mindset of their victims.”
SnapMC and Data Breach Extortion
The SnapMC group - named for its rapid attacks, generally completed in under 30 minutes - operates by scanning for vulnerabilities in web server applications and VPNs, such as a remote code execution flaw (CVE-2019-18935) in Telerik UI for the web application framework ASP.NET. After exploiting these vulnerabilities, the attackers then execute a payload to gain remote access via a reverse shell before exfiltrating the victims’ data. SnapMC would then give victims 24 hours to get in contact, and 72 hours to negotiate.
These types of data breach extortion tactics are not new, with the FBI warning of similar threats in 2016. The NCC Group said data breach extortion attacks are popular because they take less time, and less technical skills compared to full-blown ransomware attacks.
“In a ransomware attack, the adversary needs to achieve persistence and become a domain administrator before stealing data and deploying ransomware,” said researchers with NCC Group. “While in the data breach extortion attacks, most of the activity could even be automated and takes less time while still having a significant impact.”
NCC Group’s Butcher said that over the last few months the team has handled six cases related to SnapMC and has observed SnapMC in multiple additional cases.
“The targeted organizations we’ve seen are quite diverse, including government, healthcare, IT and education,” said Butcher. “The absence of a clear industry or geographic focus is in line with the actor’s modus operandi of untargeted scanning for vulnerable systems. Similar to ransomware, data breach extortion can be used against any type of organization that has sensitive data.”
Raising the Bar on Extortion
Cybercriminals are now typically leveraging multiple extortion tactics in their cyberattacks. Researchers with Trend Micro recently said the number of ransomware attacks using at least three or four extortion methods has increased this year. In addition to encrypting data, ransomware actors are also threatening to leak the stolen data on a leak site or even reaching out directly to customers of victims.
In September, for instance, the attackers behind a ransomware attack against the Allen Independent School District in Texas reportedly reached out directly to parents, threatening to publish their children's personal information online if the school district failed to pay a ransom.
In some cases, cybercriminals have also threatened to additionally launch distributed denial-of-service (DDoS) attacks against a company as an extra layer of extortion. Robert McArdle, director of cybercrime research at Trend Micro, said that this approach would work well on an eCommerce victim.
“If we consider triple extortion generally meaning DDoS on top, and quadruple meaning ‘contact your customers found from your leaked data,’ I think the latter is the stronger of the two for criminals,” he said. “But regardless, either works well to drive up innovation and profits.”
Erin Sindelar, threat researcher at Trend Micro, said that the use of three or four extortion tactics for one cyberattack will be employed by more ransomware families as the threat continues to evolve. The use of extortion is successful for cybercriminals because it plays into victims' fears around potential financial, reputational or legal consequences, she said.
“In today’s ransomware attacks, criminals want victims to feel like their only hope for recovery is to pay,” said Sindelar. “Ransomware affiliates try to position themselves as the heroes of the story who are able to rescue the victims they’ve compromised because they need victims to think their solution is the only solution to their ransomware problem.”
The Future of Extortion and Mitigations
As cybercriminals continue to look for new ways to successfully blackmail their victims, McArdle predicts that future innovations will be centralized around refining their business practices as opposed to technical approaches.
“That makes sense with the volume of money moving around - even a 2 percent increase on profitability can be a significant pay day,” said McArdle. “We see this in groups like Grief, who warn that if professional negotiators are engaged by the company, they will immediately remove any ability to decrypt. They are trying to optimize their discussions with victims to have more of them turn into revenue generating opportunities for the criminal group/business.”
SnapMC and many other threat groups that leverage extortion typically achieve initial access through known vulnerabilities, for which fixes exist. Researchers warn that the malicious activity from cybercriminals could also be automated and take less time - so companies need to ensure that they can detect these attacks while also having an incident response plan ready to execute.
“Patching in a timely manner and keeping (internet connected) devices up-to-date is the most effective way to prevent falling victim to these types of attacks,” said researchers with NCC Group. “Make sure to identify where vulnerable software resides within your network by (regularly performing) vulnerability scanning.”
Trend Micro’s Sindelar said, cyberattacks that leverage extortion are most effective against unprepared organizations.
“The best option for organizations is to prepare – protect critical assets and IT infrastructure, have detection technology in place to identify these attacks before the ransomware is dropped, and have a plan for recovery and response if an attack is successful,” said Sindelar. “These steps help the organization stay in control of the situation even if they’ve been successfully compromised.”