SnapMC: The Non-Ransomware Blackmail Attack

07 March 2023

By Mattijs Dijkstra

Blog Posts Digital Forensics and Incident Response (DFIR) Threat Intelligence

SnapMC Overview

  • In the latter half of 2021, NCC Group observed a rise in data breach extortion cases, which we've dubbed SnapMC attacks.

  • SnapMC attackers steal data in an astonishingly short amount of time, and blackmails their victim by threatening to publish it.

  • Unlike most ransomware cases, the extortion doesn't come with any ransomware threats or other attempts to disrupt the organization's activities.

  • SnapMC attacks are a prime example of hit and run attacks. We've compiled recommendations to protect, prepare, and respond to SnapMC attacks.

NCC Group has discovered a new group of blackmailers who take an opportunistic approach, and don't even bother to encrypt their stolen data.

We've dubbed them SnapMC: "snap" referring to the quick and sudden nature of these attacks, and "MC," which refers to mc.exe, the main tool they use for data exfiltration.

For now, these attackers don't appear to target specific sectors, and aren't associated with known attackers. Currently, they're only happening in the Netherlands.

Ransomware: expensive, difficult, time-consuming. 

Enter SnapMC hit and runs, where attackers take a look around, grab some data, and leave in the span of a half hour. Then, they'll email their victim, who can either pay up, or watch their data be published or sold to the highest bidder.

What does a typical SnapMC attack look like?

SnapMC extortion emails all lay out the same conditions:

  • You have 24 hours to make contact.
  • You have 72 hours to negotiate.

In practice, these are flexible deadlines, and attackers turn up the heat well before them by providing proof of the stolen data in a list or snapshot and making threats to publish it immediately. In some instances, the attacker will inform the victim's clients or the media of the data and the attack.

Most classic ransomware cases are highly targeted. Attackers will take their time finding the data that will give them the most power over their victim. SnapMC attackers are the opposite; they siphon off data as quickly as they can in an almost violent manner. We can see the scattered strategy in the wide, vague extortion amounts in the cases investigated, which were anywhere between 30,000 to 150,000 Euros in cryptocurrency.

Another main difference in SnapMC cases that differs greatly from classic ransomware is that all the data is still in the victim's possession, meaning that business operations aren't halted or affected. True, the victim will still have to verify that data has been leaked in order to determine their eminent risk in the case of publication or sale of that data.

Incidentally, not all SnapMC victims have given into the blackmail. SnapMC attackers promise that the stolen data will be erased after payment is received. Of course, there's no guarantee that would happen. We've seen that if the payment isn't made, attackers will make good on their promise and look for a buyer on the dark web and sell it to the highest bidder.

How to avoid becoming a victim, and how to respond if you do.

Patch often, consistently, and promptly.

Prevent vulnerabilities from being exploited in the first place by getting into the habit of patching vulnerabilities often, consistently, and as soon as you can after discovery. In addition, keep equipment with internet access updated. Remember: if an attacker can get away with your data in under half an hour, you can too. 

Two invaluable parts of your cyber security program for patching are regular vulnerability scanning and penetration testing. We also recommend a comprehensive overview of your organization's software and equipment, and a summary of available updates and patches.

Stay on top of third-party supplier agreements.

Things start to get complicated when you consider that a lot of vulnerabilities and entry points exist in third-party software, and these aren't under your remit. 

That's why it's vital to define and keep track of the agreements your organization has with software suppliers. In particular, sticking points will be patch management, retention policies, and suppliers' obligations to make their systems available for forensic investigation should an incident occur. 

Ensure that firewalls are configured correctly too. An improperly configured Web Application Firewall (WAF) was likely one of the tools that could have prevented several SnapMC cases.

Data encryption should be done on-premises.

When (not if) an attacker is able to get in, you need to be able to detect and respond immediately, especially in hit and run attacks. That's why it's important to implement effective detection and response programs and test them regularly.

But another effective method of protection is encryption. If a SnapMC attacker were to get their hands on encrypted data, it would be useless to them. In a number of cases we've seen, it would have at least alleviated some of the consequences. 

SnapMC attacks can easily escalate to something worse.

We predict that SnapMC or similar attack groups are only going to increase in number. Not only are they cheaper to carry out, but attackers don't need anywhere near the same amount of technical expertise, and several parts of the attacks can be completely automated, cutting down on the amount of time it takes to carry them out. 

We also believe that SnapMC attacks could be a foot in the door for other, worse types of extortion that could halt operations, like a classic ransomware attack. In addition, it's possible to lose stolen data, or it could be corrupted, so we recommend keeping secure offline backups just in case. It's also helpful to keep data like log files and internal memory handy for forensics after the fact: this data can be instrumental for figuring out what happened and what was stolen. 

But overall, the answer is clear: doing what you can to prevent an attack such as SnapMC is your best strategy. And where prevention fails, make sure you detect and respond to the attack as soon as they break in.

Fend off attacks like SnapMC

Learn more about vulnerability scanning services to ensure that you can stay ahead of attacks

Contact Us Learn More
Mattijs Dijkstra

Mattijs Dijkstra

Managing Consultant and Incident Handler, Fox-IT - part of NCC Group

Mattijs Dijkstra comes from a background in criminology and has worked in the cyber security industry for four years. Mattijs always strives to understand all the nitty-gritty details of cyber, making him well equipped to lead client engagements, perform security consulting, provide awareness sessions and crisis training, and for his role as an instructor in Fox Academy.