Blog post -
SnapMC: extortion without ransomware
Over the past few months NCC Group has observed an increasing number of data breach extortion cases, where the attacker steals data and threatens to publish said data online if the victim decides not to pay.
Managing Consultant and Incident Handler Mattijs Dijkstra, who is based in our Delft office in The Netherlands, shares his thoughts in this piece.
Forget ransomware, too expensive and too much hassle. Randomly enter through a known vulnerability, take a look around, lock away data and leave again. And all that within half an hour: hit & run. An email is then sent to the affected organization: pay or else the stolen data will be published and/or sold.
This is the opportunistic approach of a new group of blackmailers who don't even bother to encrypt data. We have given them the name SnapMC: a combination of 'snap' (a sudden, sharp cracking sound or movement) and MC, from mc.exe, the primary tool they use to exfiltrate data.
We have only seen SnapMC's attacks in the Netherlands for the time being. They do not target specific sectors and we have not (yet) been able to associate them with known attackers.
In recent months, we have seen more and more cases of extortion, where the attacker steals data in a very short time and threatens to publish it online if the victim decides not to pay with - no question of ransomware or other attempts to disrupt the activities of the affected organization.
A typical scenario
In the extortion emails we saw from SnapMC, victims were given 24 hours to contact and 72 hours to negotiate. But in practice we see that those deadlines are flexible.
At the same time, the attacker starts to increase the pressure well before the deadline. SnapMC adds a list of the stolen data as proof that they had access to the victim's infrastructure. If the organization does not respond or begin negotiations within the time frame, the attacker threatens to publish the stolen data or does so immediately. Furthermore, the attacker informs the victim's clients and some media.
A big difference with many ransomware cases is that the attackers hardly take the time to look around to collect valuable data and information about the victim in a targeted manner. This is reflected in the vague extortion amounts that in the cases we investigated are between 30,000 and 150,000 euros in bitcoins.
Another difference is that the victim still has all the data and can continue to use it. The functioning of the organization is therefore not affected and therefore does not play a role in the extortion. However, the victim will have to verify which data has been leaked, not only to determine the risk of publication or sale, but also because it is in fact a data breach that may need to be reported.
Incidentally, for various reasons, not all SnapMC victims have paid.
The attacker promises that after payment all stolen data will be erased. That happens, otherwise the attacker's 'business model' would no longer work. But there is no guarantee that the data will not be sold on after payment. In any case, we have seen that if payment is not made, the blackmailer makes good on the threat and looks for a buyer on the dark web. It is also possible that the attacker deletes the data, but sells access to the victim's system to the highest bidder.
Recommendations and advice
Patching as quickly as possible and keeping equipment (connected to the Internet) up-to-date is obviously the best way to prevent vulnerabilities from being used by the attacker to gain entry, after all, the attacker left with the loot within half an hour..
To do this properly, regular vulnerability scans and penetration tests are required, as well as a complete overview of the software and equipment used, plus a good overview of the updates and patches that are available.
Third party supplier agreements
A complicating factor is that vulnerable software is often a component of applications delivered to the organization by third parties. However, these types of components are only within the reach of the developer or supplier. It is therefore important that clearly defined agreements are made between the organization and the software supplier about patch management and retention policy. It is also wise to make agreements about an obligation on the part of the supplier to make the systems available for forensic investigation and analysis in the event of an incident. Incidentally, a correctly configured Web Application Firewall (WAF) could have prevented the Telerik vulnerability from being abused, although that does not of course solve the root cause.
Encrypt data yourself
Once an attacker manages to get in, it is important to detect and respond as quickly as possible, especially in the case of a hit & run attack. Well-implemented detection and incident response mechanisms would most likely have prevented SnapMC from siphoning data.
Another possibility to limit the damage is to encrypt your own data. If an attacker locks away encrypted data it’s useless, he has nothing in his hands with which to extort the victim. In a number of SnapMC cases, that would have helped. However, it is not always possible or feasible to encrypt data, for example unacceptable performance problems can occur.
Danger of Escalation
It is expected that these types of attacks will certainly increase. The costs of a hit & run attack as executed by SnapMC are very favorable for the attacker. In addition, less technical knowledge or skill is required compared to a 'regular' ransomware attack. In extortion attacks with data breaches, most activities can be automated and take much less time, while still having a significant impact.
We also see the danger of escalation. A SnapMC attack could become the prelude to a full-fledged ransomware attack or other forms of extortion. Data could also be thoroughly erased or corrupted after locking it away. Then good (immutable) backups are vital.
Finally, it is crucial to retain data (log files, internal memory) for research into what exactly happened and what data has been funneled away. This may argue in favor of not immediately pulling the plug from the systems after discovering an attack, not to mention the possible impact on the business.
The remedy - immediately stopping the attack - may be worse than the disease.