The Snatch Ransomware group has gained notoriety in the cybersecurity world due to its advanced techniques and ability to evade detection. Its use of file encryption and memory injection makes it difficult for security systems to identify and stop their attacks. However, recent findings by cybersecurity analysts at KrebsOnSecurity have exposed the group’s vulnerabilities and provided insights into their operations.
The analysts discovered that the Snatch ransomware group’s victim-shaming site inadvertently exposes its location, operations, and visitor IP addresses. This revelation came to light when the researchers noticed that the group used Google ads for malware distribution. The victim-shaming site, which is hosted on the darknet, reveals user IP addresses on its ‘server status’ page, attracting thousands of visitors primarily from Russian IP addresses.
Through their investigation, the researchers identified several frequently accessed IP addresses that were associated with the Snatch ransomware group’s activities. One such IP address, 193.108.114[.]41, located in Yekaterinburg, Russia, hosted various Snatch domains. Another notable IP address, 194.168.175[.]226, belonging to Matrix Telekom, also hosted Snatch domains and phishing sites for well-known brands.
Interestingly, the researchers discovered that these domains were registered to an individual named Mihail Kolesnikov, who is likely using an alias. Kolesnikov has been linked to over 1,300 domains, some of which were used to distribute the Rilide trojan in August 2023. Trustwave Spiderlabs, another cybersecurity firm, found that Kolesnikov’s domains mimic major software companies, indicating a pattern of malicious activity.
Furthermore, the researchers uncovered evidence suggesting that Kolesnikov’s domains were used for phishing and spreading information-stealing malware. In February 2023, Spamhaus, an international nonprofit organization dedicated to tracking spam and cyber threats, warned about multiple groups using similar domains for these purposes.
In addition to distributing malware, the Snatch ransomware group also targeted victims through malicious Google ads. For example, victims searching for Microsoft Teams on Google were presented with spoofed ads that redirected them to a malicious domain registered to Kolesnikov. Clicking on these ads resulted in the download of IcedID malware, known for stealing browser passwords and tokens.
The researchers raised concerns that cybercriminals may be offering “malvertising as a service” on the dark web, creating and selling software-themed phishing domains to others. This practice allows them to profit from the illicit activities of other malicious actors.
Interestingly, the researchers also discovered the development-mode victim shaming site of another ransomware group called 8Base. This group’s oversight exposed their Russian site and the identity of a Moldovan programmer. The 8Base ransomware gang, ironically, failed to protect its own data while shaming others for their lack of data protection.
Given these findings, security analysts are urging caution, particularly when it comes to cracked software and rogue ads masquerading as legitimate search results. They recommend verifying the legitimacy of websites before downloading or installing anything to avoid falling victim to ransomware attacks.
In conclusion, the KrebsOnSecurity investigation into the Snatch ransomware group has shed light on their vulnerabilities and operations. By exploiting their victim-shaming site and analyzing the associated IP addresses and domains, researchers have uncovered valuable insights into the group’s activities. These findings serve as a reminder to individuals and organizations to remain vigilant and take necessary precautions to protect themselves from ransomware attacks.