Snatch ransomware group’s darknet site is reportedly exposing visitors’ IP addresses and the group’s true online location. Leaked data indicated that the ransomware group has been using paid ads on Google.com to deceive people into installing malware disguised as free software.
Snatch Ransomware
First appearing in 2018, the Snatch ransomware group, originally known as Team Truniger, is a cybercriminal syndicate that leaks stolen data of hacked organizations that refused to pay ransom demands.
In recent years, Snatch hackers have often targeted Remote Desktop Protocol (RDP) weaknesses to override users’ passwords. However, the cybercriminal group seems to have resorted to using paid Google ads.
The Snatch ransomware group uses a website on the open internet to release exploited data. This stolen data is then mirrored on the cybercriminals’ Darknet Markets for thousands of anonymous users to gain access.
What Goes Around
Ironically, Snatch’s darknet site, which is supposed to be completely anonymous, has exposed the group’s server status page. The darknet site is only accessible through a Tor network, which uses encrypted protocols to ensure users’ privacy online.
The exposed server status page has revealed the true Internet address of users accessing the darknet site. Refreshing the server page constantly revealed thousands of daily visitor IP addresses.
Among the most frequent addresses on the site are those from Russia. Coincidentally, Snatch operates command–and–control servers hosted in Russia to launch their attacks. These Russian addresses are believed to have been used to host Snatch’s clear web domain names.
One of the most active addresses accessing Snatch’s darknet site is 193.108.114[.]41, a server based in Yekaterinburg. Upon further investigation, this Russian address is used to host several of Snatch’s domains.
The address could have frequently occurred because of the toggle button that Snatch’s clear website uses. The toggle button allows users to switch over and access the darknet site via a Tor network.
What Do You Mean, OpSec?
While Opsec might be Dark Web 101, many just do not follow guidelines, and this extreme user data leak exposes those who fail to do what they need. Not only does this bad website design leak user data, but it also compromises them in an extreme way. Furthermore, it tells you something about the administrator. So it’s not surprising that this slight mistake pushes back eventually to the website owner. Here’s a reminder to keep your OpSec in check at all stages.
Another Internet address which regularly appeared on the server page was 194.168.175[.]226. This address is currently assigned to a Russian username named Matrix Telekom. Surprisingly, this address is also used to host several of Sntach’s domains, as well as other phishing domains, according to DomainTools.com
Furthermore, 80.66.64[.]15, a Moscow address, permanently accessed the Snatch darknet site. The same Internet address is used as a host for several Snatch clear-web domains and similar domains used by software companies such as Discord.
Mihail Kolesnikov
All the phishing domains linked to the Snatch ransomware syndicate have been registered to Mihail Kolesnikov. The name is closely associated with phishing domains tied to the use of malicious Google ads.
As it turns out, Mihail Kolesnikov was a Russian general under Boris Yeltsin’s administration. The name is a pseudonym used by the group, which has over 1300 domains registered between 2013 and 2023. More than half of the domains registered under Mr Kolesnikov were linked to old escort websites in major U.S. cities.
The remaining half of the website domains registered in Kolesnikov’s name ended in “.to” and “.app”. These more recent websites were designed to copy the domains of top software companies. In August 2023, Trustwave Spiderlabs found domains registered in Mihail Kolesnikov, which had been used to spread through the Rilide information stealth trojan.
MalAdvertising Takes Centerstage
Snatch wasn’t the only cybercriminal group accused of using these domains for phishing people. Spamhaus issued a warning of an increase in malicious ads that had been hijacking search results on Google.com.
These search results were being used to distribute around five different information-stealing trojans such as the likes of IcedID/Bokbot, AuroraStealer, Meta Stealer, Vidar, and RedLine Stealer.
Malicious ads would target people who would search for Microsoft Teams in Google.com. The search would then return with a paid-spoofed Microsoft Teams or Microsoft ad as its first result, preferencing the domain above all other results.
Upon first glance, these ads carried the Microsoft logo and appeared to resemble a trusted website for people to download the software. However, people who clicked on the malicious link were instead taken to microsoftteams-us[.]top, registered to none other than Mihail Kolesnikov.
What may have seemed to be a legit package of Microsoft Teams was in fact much more than I bargained for. The installer file included a copy of the IcedID malware, which disseminates passwords and steals authentication tokens from the user.
Snatch’s exposed server status page was first noticed by htmalgae, a darknet security researcher. The same researcher who had previously discovered the true Internet address of 8Base ransomware group. Htmalage later stated that “the idea of a ransomware group’s victim shaming site leaking data that they did not intend to expose is deliciously ironic”.
All of the malware files were originally designed to infiltrate Windows devices. However, Malwarebytes revealed a new stealer trojan called “Atomicstealer”, which targeted for Mac-based devices. Atomicstealer similar used malicious Google ads and confusingly identical domains to that of software companies.
Maladvertising has become extremely popular over the past few years, which has led to cybercriminals selling maladvertising as a service on the darknet. The demand is so high that criminals from the Snatch ransomware group are believed to have paid for stolen data from other ransomware gangs.
It appears that someone or a group has built a profitable business on the darknet by developing new-software-themed phishing domains. Recent developments in malware have highlighted the need for individuals to remain vigilant and implement privacy protocols.
Users who wish to protect the privacy of their IP address should always connect to a Virtual Private Network. In addition, searching the web with an anonymous search engine doesn’t store cookies and maintains a user’s privacy. However, Tor networks still provide the highest form of privacy on the internet, despite Snatch’s users Internet address being accessed.
Major software titles have become a frequent source of infostealer infections including the likes of Microsoft Teams, Adobe Reader, Mozilla Thunderbird, and Discord. Before attempting to download and install any software, make sure to check the actual domain of the software.