Fast extortion attacks without ransomware
We observed a newly identified threat group designated SnapMC that, within 30 minutes, compromises organizational systems, exfiltrates sensitive data, and demands payment to prevent disclosure.
This group does not deploy ransomware, and therefore shows no interest in data encryption—only in data exfiltration. They typically exploit unpatched VPN and webserver instances to breach organizational perimeters and conduct illicit operations.
Victims are granted 24 hours to establish contact and 72 hours to reach settlement; however, pressure tactics are applied well before these deadlines. Proof of compromise is provided in the form of a complete inventory of exfiltrated data. If negotiations are not concluded within the specified timeframes, the data is published and the breach is reported to clients and media outlets.
SnapMC
The designation SnapMC derives from their operational speed—”Snap”—and their use of the mc.exe utility for data exfiltration.
To obtain initial access, threat actors exploit vulnerabilities in the Telerik user interface for ASP.NET and deploy SQL injection attacks against webserver applications.
Following successful access, the threat actors execute a payload to establish remote access via reverse shell and leverage the CVE-2019-18935 vulnerability. Subsequent reconnaissance operations are conducted through PowerShell commands:
- whoami
- whoami /priv
- wmic logicaldisk get caption, description, provider name
- net users /priv
The group performs privilege escalation activities through PowerShell scripts:
- Invoke-Nightmare
- Invoke-JuicyPotato
- Invoke-ServiceAbuse
- Invoke-EventVwrBypass
- Invoke-PrivescAudit
For data collection, 7zip and Invoke-SQLcmd scripts are deployed. Artifacts resulting from execution of these utilities are stored in the following directories:
- C:\Windows\Temp\
- C:\Windows\Temp\Azure
- C:\Windows\Temp\Vmware
CVE-2019-18935
Progress Telerik UI for ASP.NET AJAX through version 2019.3.1023 contains a .NET deserialization vulnerability in the RadAsyncUpload function. This vulnerability carries a critical severity rating of 9.8 and is exploitable when encryption keys are known due to the presence of CVE-2017-11317 or CVE-2017-11357. Exploitation of this vulnerability enables remote code execution. Beginning with version 2020.1.114, a default configuration prevents exploitation; the same protection is present in version 2019.3.1023 but absent in earlier releases. Detection of such activity requires Managed Detection and Response capabilities to identify anomalous post-exploitation behavior patterns.
IOC
Payload filename downloaded following successful Telerik exploitation. Composed of the first segment derived from epoch timestamp and the second segment (after the dot) generated randomly:
- C:\Windows\Temp[0-9]{10}.[0-9]{1,8}.dll
7zip utility
- 7zip archiving utility
SQL cmdlet
- s.ps1
- a.ps1
- x.ps1
Directory in which files created by MinIO are stored:
- C:\Windows\Temp\Vmware\
- C:\Windows\Temp\Azure\
MinIO client
- MD5: 651ed548d2e04881d0ff24f789767c0e
- SHA1: b4171d48df233978f8cf58081b8ad9dc51a6097f
- SHA256: 0a1d16e528dc1e41f01eb7c643de0dfb4e5c4a67450c4da78427a8906c70ef3e
The operational model employed by SnapMC—rapid compromise, data exfiltration, and extortion without encryption—represents a distinct threat vector requiring continuous monitoring of unpatched external-facing systems and anomalous data access patterns.
