The recent leak of data from the darknet website of the Snatch ransomware group has brought attention to the history of the group and its alleged founder. It has also raised questions about their identity and their claims of being mistaken for a different ransomware group with the same name.
According to a joint advisory from the FBI and the U.S. Cybersecurity and Infrastructure Security Administration (CISA), Snatch was originally known as Team Truniger, named after the group’s founder and organizer, Truniger. The report reveals that Truniger was previously affiliated with GandCrab, an early ransomware-as-a-service offering that closed down after extorting over $2 billion from victims. It is believed that GandCrab eventually transformed into the notorious Russian ransomware group known as REvil.
The FBI/CISA report states that Snatch is known for using a customized ransomware variant that reboots Microsoft Windows devices into Safe Mode, allowing the ransomware to evade detection by antivirus and endpoint protection. The group has also been observed purchasing stolen data from other ransomware variants as a means to exploit victims into paying the ransom.
Cyber intelligence firm Flashpoint has provided further insight into the origins of the Snatch ransomware group. They claim that Truniger recruited hackers for the group on Russian language cybercrime forums and public programming boards. Truniger specifically sought out “pen testers” with experience in Windows system administration, backup, privileges, and network management.
Flashpoint also discovered that Truniger used the username Semen7907 on sysadmins[.]ru, a forum where he recruited hackers for the Snatch ransomware group. In April 2020, Truniger was banned from two top Russian cybercrime forums after it was revealed that he had purchased credentials to a company from a network access broker on the dark web. Despite this, Truniger denies any involvement in cybercrime and claims that someone else gained control of his sysadmins[.]ru account and posted on his behalf.
Further investigation by Constella Intelligence, a data breach and threat actor research platform, uncovered various online accounts associated with Semen7907. These include registrations on Russian-language programming forums, a now defunct gaming website that suffered a data breach, and an account on the online game stalker[.]so. All of these accounts were accessed from the same IP address in Yekaterinburg, Russia.
When contacted via Telegram, the person behind the account “Perchatka,” which was connected to the IP address linked to Semen7907, denied involvement in cybercrime and claimed to have a full-time job in IT at a major company. They suggested that their sysadmins[.]ru account may have been compromised during a reported hack of the forum’s user database by a pro-Ukrainian hacker group. However, they did admit to using the username Semen7907 on the forum.
The FBI/CISA alert on Snatch Ransomware acknowledges the existence of another group calling themselves Snatch Team, who claim to be different from the Snatch ransomware group from 2018. The alert states that the Snatch Team operates an extortion site that serves as a clearinghouse for stolen data from multiple ransomware groups, including Nokoyawa and Conti. Snatch Team claims to deal only in stolen data and not in deploying ransomware.
Representatives from the Snatch Team have responded to questions posed by Databreaches.net, reiterating their claim of not being associated with Snatch Ransomware and denying any violations of transaction terms. They argue that their use of the same domain names as the ransomware group is a result of a technical issue.
As investigations into the Snatch ransomware group and Snatch Team continue, it is clear that the group has left a trail of cybercrime activities and a web of confusion surrounding their true identity. The leak of their darknet website data has shed some light on their operations, but many questions remain unanswered. Law enforcement agencies and cybersecurity experts will undoubtedly continue their efforts to unravel the mysteries surrounding Snatch and its alleged founder, Truniger.