top of page

Threat groups skip file encryption and directly steal data

The NCC Group, a global information security organisation, has observed, over the recent months, an increasing number of data breach extortion cases.

This type of crime consists of a threat actor or group stealing company data. They then threaten to publish the data if the victim doesn’t pay up. This is usually typical to a ransomware tactic named ‘double extortion’ that is added to pressurise victims into paying once their files have been encrypted.

A new threat group named ‘SnapMC’ has emerged with a focus on straight up extortion, a low-tech approach that completely skips the encryption stage of a typical ransomware attack.

File encryption is considered an essential component of a typical ransomware attack, as it's the very element that brings operational disruption to the victim.

Data exfiltration, for purposes of double extortion, came later as an additional form of pressure on a victim.

Now that the power of the data extortion tactic has been realised by threat actors, it is starting to become recognised as a standalone approach for less work and quicker payments.

The new SnapMC gang uses a vulnerability scanner to find a range of flaws in a target’s Virtual Private Network (VPN) and web server applications, and then successfully exploits them to breach the network with the main aim of exfiltrating sensitive data.

In the extortion emails seen so far, SnapMC have given victims 24 hours to get in contact and 72 hours to negotiate. As evidence, the group provides victims with a list of the exfiltrated data. If they fail to engage in negotiations within the timeframe, they will then threaten to publish the data and report the breach to customers and the media.

Removing the encryption part of the attack was a natural evolution of the ransomware model. It is predicted the trend towards more simple attacks is likely to continue.



Report all Fraud and Cybercrime to Action Fraud by calling 0300 123 2040 or online. Forward suspicious emails to Report SMS scams by forwarding the original message to 7726 (spells SPAM on the keypad).



The contents of blog posts on this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of East Midlands Cyber Resilience Centre (EMCRC) is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others. Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. EMCRC provides affordable services and Trusted Partners if you need specific support. For specific questions please contact us by email.


EMCRC does not accept any responsibility for any loss which may arise from reliance on information or materials published on this blog. EMCRC is not responsible for the content of external internet sites that link to this site or which are linked from it.

bottom of page