The NCC Group, a global information security organisation, has observed, over the recent months, an increasing number of data breach extortion cases.
This type of crime consists of a threat actor or group stealing company data. They then threaten to publish the data if the victim doesn’t pay up. This is usually typical to a ransomware tactic named ‘double extortion’ that is added to pressurise victims into paying once their files have been encrypted.
A new threat group named ‘SnapMC’ has emerged with a focus on straight up extortion, a low-tech approach that completely skips the encryption stage of a typical ransomware attack.
File encryption is considered an essential component of a typical ransomware attack, as it's the very element that brings operational disruption to the victim.
Data exfiltration, for purposes of double extortion, came later as an additional form of pressure on a victim.
Now that the power of the data extortion tactic has been realised by threat actors, it is starting to become recognised as a standalone approach for less work and quicker payments.
The new SnapMC gang uses a vulnerability scanner to find a range of flaws in a target’s Virtual Private Network (VPN) and web server applications, and then successfully exploits them to breach the network with the main aim of exfiltrating sensitive data.
In the extortion emails seen so far, SnapMC have given victims 24 hours to get in contact and 72 hours to negotiate. As evidence, the group provides victims with a list of the exfiltrated data. If they fail to engage in negotiations within the timeframe, they will then threaten to publish the data and report the breach to customers and the media.
Removing the encryption part of the attack was a natural evolution of the ransomware model. It is predicted the trend towards more simple attacks is likely to continue.
Report all Fraud and Cybercrime to Action Fraud by calling 0300 123 2040 or online. Forward suspicious emails to firstname.lastname@example.org. Report SMS scams by forwarding the original message to 7726 (spells SPAM on the keypad).