Earlier this week, KrebsOnSecurity revealed that the darknet website for the Snatch ransomware group was leaking data about its users and the crime gang’s internal operations. Today, we’ll take a closer look at the history of Snatch, its alleged founder, and their claims that everyone has confused them with a different, older ransomware group by the same name.
According to a September 20, 2023 joint advisory from the FBI and the U.S. Cybersecurity and Infrastructure Security Administration (CISA), Snatch was originally named Team Truniger, based on the nickname of the group’s founder and organizer — Truniger.
The FBI/CISA report says Truniger previously operated as an affiliate of GandCrab, an early ransomware-as-a-service offering that closed up shop after several years and claims to have extorted more than $2 billion from victims. GandCrab dissolved in July 2019, and is thought to have become “REvil,” one of the most ruthless and rapacious Russian ransomware groups of all time.
The government says Snatch used a customized ransomware variant notable for rebooting Microsoft Windows devices into Safe Mode — enabling the ransomware to circumvent detection by antivirus or endpoint protection — and then encrypting files when few services are running.
“Snatch threat actors have been observed purchasing previously stolen data from other ransomware variants in an attempt to further exploit victims into paying a ransom to avoid having their data released on Snatch’s extortion blog,” the FBI/CISA alert reads. It continues:
“Prior to deploying the ransomware, Snatch threat actors were observed spending up to three months on a victim’s system. Within this timeframe, Snatch threat actors exploited the victim’s network moving laterally across the victim’s network with RDP for the largest possible deployment of ransomware and searching for files and folders for data exfiltration followed by file encryption.”
New York City-based cyber intelligence firm Flashpoint said the Snatch ransomware group was created in 2018, based on Truniger’s recruitment both on Russian language cybercrime forums and public Russian programming boards. Flashpoint said Truniger recruited “pen testers” for a new, then-unnamed cybercrime group, by posting their private Jabber instant messenger contact details on multiple Russian language coding forums, as well as on Facebook.
“The command requires Windows system administrators,” Truniger’s ads explained. “Experience in backup, increase privileges, mikicatz, network. Details after contacting on jabber: truniger@xmpp[.]jp.”
In at least some of those recruitment ads — like one in 2018 on the forum sysadmins[.]ru –the username promoting Truniger’s contact information was Semen7907. In April 2020, Truniger was banned from two of the top Russian cybercrime forums, where members from both forums confirmed that Semen7907 was one of Truniger’s known aliases.
[SIDE NOTE: Truniger was banned because he purchased credentials to a company from a network access broker on the dark web, and although he promised to share a certain percentage of whatever ransom amount Truniger’s group extracted from the victim, Truniger paid the access broker just a few hundred dollars off of a six-figure ransom].
According to Constella Intelligence, a data breach and threat actor research platform, a user named Semen7907 registered in 2017 on the Russian-language programming forum pawno[.]ru using the email address tretyakov-files@yandex.ru.
That same email address was assigned to the user “Semen-7907” on the now defunct gaming website tunngle.net, which suffered a data breach in 2020. Semen-7907 registered at Tunngle from the Internet address 31.192.175[.]63, which is in Yekaterinburg, RU.
Constella reports that tretyakov-files@yandex.ru was also used to register an account at the online game stalker[.]so with the nickname Trojan7907.
There is a Skype user by the handle semen7907, and which has the name Semyon Tretyakov from Yekaterinburg, RU. Constella also found a breached record from the Russian mobile telephony site tele2[.]ru, which shows that a user from Yekaterinburg registered in 2019 with the name Semyon Sergeyvich Tretyakov and email address tretyakov-files@ya.ru.
The above accounts, as well as the email address semen_7907@mail.ru, were all registered or accessed from the same Yekaterinburg Internet address mentioned previously: 31.192.175.63. The Russian mobile phone number associated with that tele2[.]ru account is connected to the Telegram account “Perchatka,” (“glove” in Russian).
Reached via Telegram, Perchatka (a.k.a. Mr. Tretyakov) said he was not a cybercriminal, and that he currently has a full-time job working in IT at a major company (he declined to specify which).
Presented with the information gathered for this report (and more that is not published here), Mr. Tretyakov acknowledged that Semen7907 was his account on sysadmins[.]ru, the very same account Truniger used to recruit hackers for the Snatch Ransomware group back in 2018.
However, he claims that he never made those posts, and that someone else must have assumed control over his sysadmins[.]ru account and posted as him. Mr. Tretyakov said that KrebsOnSecurity’s outreach this week was the first time he became aware that his sysadmins[.]ru account was used without his permission.
Mr. Tretyakov suggested someone may have framed him, pointing to an August 2023 story at a Russian news outlet about the reported hack and leak of the user database from sysadmins[.]ru, allegedly at the hands of a pro-Ukrainian hacker group called CyberSec.
“Recently, because of the war in Ukraine, a huge number of databases have been leaked and finding information about a person is not difficult,” Tretyakov said. “I’ve been using this login since about 2013 on all the forums where I register, and I don’t always set a strong password. If I had done something illegal, I would have hidden much better :D.”
[For the record, KrebsOnSecurity does not generally find this to be the case, as the ongoing Breadcrumbs series will attest.]
A Semyon Sergeyvich Tretyakov is listed as the composer of a Russian-language rap song called “Parallels,” which seems to be about the pursuit of a high-risk lifestyle online. A snippet of the song goes:
“Someone is on the screen, someone is on the blacklist
I turn on the timer and calculate the risks
I don’t want to stay broke And in the pursuit of money
I can’t take these zeros Life is like a zebra –
everyone wants to be first Either the stripes are white,
or we’re moving through the wilds I won’t waste time.”
Mr. Tretyakov said he was not the author of that particular rhyme, but that he has been known to record his own rhythms.
“Sometimes I make bad beats,” he said. “Soundcloud.”
The FBI/CISA alert on Snatch Ransomware (PDF) includes an interesting caveat: It says Snatch actually deploys ransomware on victim systems, but it also acknowledges that the current occupants of Snatch’s dark and clear web domains call themselves Snatch Team, and maintain that they are not the same people as Snatch Ransomware from 2018.
Here’s the interesting bit from the FBI/CISA report:
“Since November 2021, an extortion site operating under the name Snatch served as a clearinghouse for data exfiltrated or stolen from victim companies on Clearnet and TOR hosted by a bulletproof hosting service. In August 2023, individuals claiming to be associated with the blog gave a media interview claiming the blog was not associated with Snatch ransomware and “none of our targets has been attacked by Ransomware Snatch…”, despite multiple confirmed Snatch victims’ data appearing on the blog alongside victims associated with other ransomware groups, notably Nokoyawa and Conti.”
Avid readers will recall a story here earlier this week about Snatch Team’s leaky darknet website based in Yekaterinburg, RU that exposed their internal operations and Internet addresses of their visitors. The leaked data suggest that Snatch is one of several ransomware groups using paid ads on Google.com to trick people into installing malware disguised as popular free software, such as Microsoft Teams, Adobe Reader, Mozilla Thunderbird, and Discord.
Snatch Team claims to deal only in stolen data — not in deploying ransomware malware to hold systems hostage.
Representatives of the Snatch Team recently answered questions from Databreaches.net about the claimed discrepancy in the FBI/CISA report.
“First of all, we repeat once again that we have nothing to do with Snatch Ransomware, we are Security Notification Attachment, and we have never violated the terms of the concluded transactions, because our honesty and openness is the guarantee of our income,” the Snatch Team wrote to Databreaches.net in response to questions.
But so far the Snatch Team has not been able to explain why it is using the very same domain names that the Snatch ransomware group used?
Their claim is even more unbelievable because the Snatch Team members told Databreaches.net they didn’t even know that a ransomware group with that name already existed when they initially formed just two years ago.
This is difficult to swallow because even if they were a separate group, they’d still need to somehow coordinate the transfer of the Ransomware group’s domains on the clear and dark webs. If they were hoping for a fresh start or separation, why not just pick a new name and new web destination?
“Snatchteam[.]cc is essentially a data market,” they continued. “The only thing to underline is that we are against selling leaked information, sticking to the idea of free access. Absolutely any team can come to us and offer information for publication. Even more, we have heard rumors that a number of ransomware teams scare their clients that they will post leaked information on our resource. We do not have our own ransomware, but we are open to cooperation on placement and monetization of dates (sic).”
Maybe Snatch Team does not wish to be associated with Snatch Ransomware because they currently believe stealing data and then extorting victim companies for money is somehow less evil than infecting all of the victim’s servers and backups with ransomware.
It is also likely that Snatch Team is well aware of how poorly some of their founders covered their tracks online, and are hoping for a do-over on that front.
WormGPT, a private new chatbot service advertised as a way to use Artificial Intelligence (AI) to write malicious software without all the pesky prohibitions on such activity enforced by the likes of ChatGPT and Google Bard, has started adding restrictions of its own on how the service can be used. Faced with customers trying to use WormGPT to create ransomware and phishing scams, the 23-year-old Portuguese programmer who created the project now says his service is slowly morphing into “a more controlled environment.”
Image: SlashNext.com.
The large language models (LLMs) made by ChatGPT parent OpenAI or Google or Microsoft all have various safety measures designed to prevent people from abusing them for nefarious purposes — such as creating malware or hate speech. In contrast, WormGPT has promoted itself as a new, uncensored LLM that was created specifically for cybercrime activities.
WormGPT was initially sold exclusively on HackForums, a sprawling, English-language community that has long featured a bustling marketplace for cybercrime tools and services. WormGPT licenses are sold for prices ranging from 500 to 5,000 Euro.
“Introducing my newest creation, ‘WormGPT,’ wrote “Last,” the handle chosen by the HackForums user who is selling the service. “This project aims to provide an alternative to ChatGPT, one that lets you do all sorts of illegal stuff and easily sell it online in the future. Everything blackhat related that you can think of can be done with WormGPT, allowing anyone access to malicious activity without ever leaving the comfort of their home.”
In July, an AI-based security firm called SlashNext analyzed WormGPT and asked it to create a “business email compromise” (BEC) phishing lure that could be used to trick employees into paying a fake invoice.
“The results were unsettling,” SlashNext’s Daniel Kelley wrote. “WormGPT produced an email that was not only remarkably persuasive but also strategically cunning, showcasing its potential for sophisticated phishing and BEC attacks.”
A review of Last’s posts on HackForums over the years shows this individual has extensive experience creating and using malicious software. In August 2022, Last posted a sales thread for “Arctic Stealer,” a data stealing trojan and keystroke logger that he sold there for many months.
“I’m very experienced with malwares,” Last wrote in a message to another HackForums user last year.
Last has also sold a modified version of the information stealer DCRat, as well as an obfuscation service marketed to malicious coders who sell their creations and wish to insulate them from being modified or copied by customers.
Shortly after joining the forum in early 2021, Last told several different Hackforums users his name was Rafael and that he was from Portugal. HackForums has a feature that allows anyone willing to take the time to dig through a user’s postings to learn when and if that user was previously tied to another account.
That account tracing feature reveals that while Last has used many pseudonyms over the years, he originally used the nickname “ruiunashackers.” The first search result in Google for that unique nickname brings up a TikTok account with the same moniker, and that TikTok account says it is associated with an Instagram account for a Rafael Morais from Porto, a coastal city in northwest Portugal.
Reached via Instagram and Telegram, Morais said he was happy to chat about WormGPT.
“You can ask me anything,” Morais said. “I’m an open book.”
Morais said he recently graduated from a polytechnic institute in Portugal, where he earned a degree in information technology. He said only about 30 to 35 percent of the work on WormGPT was his, and that other coders are contributing to the project. So far, he says, roughly 200 customers have paid to use the service.
“I don’t do this for money,” Morais explained. “It was basically a project I thought [was] interesting at the beginning and now I’m maintaining it just to help [the] community. We have updated a lot since the release, our model is now 5 or 6 times better in terms of learning and answer accuracy.”
WormGPT isn’t the only rogue ChatGPT clone advertised as friendly to malware writers and cybercriminals. According to SlashNext, one unsettling trend on the cybercrime forums is evident in discussion threads offering “jailbreaks” for interfaces like ChatGPT.
“These ‘jailbreaks’ are specialised prompts that are becoming increasingly common,” Kelley wrote. “They refer to carefully crafted inputs designed to manipulate interfaces like ChatGPT into generating output that might involve disclosing sensitive information, producing inappropriate content, or even executing harmful code. The proliferation of such practices underscores the rising challenges in maintaining AI security in the face of determined cybercriminals.”
Morais said they have been using the GPT-J 6B model since the service was launched, although he declined to discuss the source of the LLMs that power WormGPT. But he said the data set that informs WormGPT is enormous.
“Anyone that tests wormgpt can see that it has no difference from any other uncensored AI or even chatgpt with jailbreaks,” Morais explained. “The game changer is that our dataset [library] is big.”
Morais said he began working on computers at age 13, and soon started exploring security vulnerabilities and the possibility of making a living by finding and reporting them to software vendors.
“My story began in 2013 with some greyhat activies, never anything blackhat tho, mostly bugbounty,” he said. “In 2015, my love for coding started, learning c# and more .net programming languages. In 2017 I’ve started using many hacking forums because I have had some problems home (in terms of money) so I had to help my parents with money… started selling a few products (not blackhat yet) and in 2019 I started turning blackhat. Until a few months ago I was still selling blackhat products but now with wormgpt I see a bright future and have decided to start my transition into whitehat again.”
WormGPT sells licenses via a dedicated channel on Telegram, and the channel recently lamented that media coverage of WormGPT so far has painted the service in an unfairly negative light.
“We are uncensored, not blackhat!” the WormGPT channel announced at the end of July. “From the beginning, the media has portrayed us as a malicious LLM (Language Model), when all we did was use the name ‘blackhatgpt’ for our Telegram channel as a meme. We encourage researchers to test our tool and provide feedback to determine if it is as bad as the media is portraying it to the world.”
It turns out, when you advertise an online service for doing bad things, people tend to show up with the intention of doing bad things with it. WormGPT’s front man Last seems to have acknowledged this at the service’s initial launch, which included the disclaimer, “We are not responsible if you use this tool for doing bad stuff.”
But lately, Morais said, WormGPT has been forced to add certain guardrails of its own.
“We have prohibited some subjects on WormGPT itself,” Morais said. “Anything related to murders, drug traffic, kidnapping, child porn, ransomwares, financial crime. We are working on blocking BEC too, at the moment it is still possible but most of the times it will be incomplete because we already added some limitations. Our plan is to have WormGPT marked as an uncensored AI, not blackhat. In the last weeks we have been blocking some subjects from being discussed on WormGPT.”
Still, Last has continued to state on HackForums — and more recently on the far more serious cybercrime forum Exploit — that WormGPT will quite happily create malware capable of infecting a computer and going “fully undetectable” (FUD) by virtually all of the major antivirus makers (AVs).
“You can easily buy WormGPT and ask it for a Rust malware script and it will 99% sure be FUD against most AVs,” Last told a forum denizen in late July.
Asked to list some of the legitimate or what he called “white hat” uses for WormGPT, Morais said his service offers reliable code, unlimited characters, and accurate, quick answers.
“We used WormGPT to fix some issues on our website related to possible sql problems and exploits,” he explained. “You can use WormGPT to create firewalls, manage iptables, analyze network, code blockers, math, anything.”
Morais said he wants WormGPT to become a positive influence on the security community, not a destructive one, and that he’s actively trying to steer the project in that direction. The original HackForums thread pimping WormGPT as a malware writer’s best friend has since been deleted, and the service is now advertised as “WormGPT – Best GPT Alternative Without Limits — Privacy Focused.”
“We have a few researchers using our wormgpt for whitehat stuff, that’s our main focus now, turning wormgpt into a good thing to [the] community,” he said.
It’s unclear yet whether Last’s customers share that view.
It’s a question we get a lot from parents: “How can I keep my kids safe when they are constantly hopping between so many different apps?” We get it, there’s a lot to stay on top and all of it changes constantly. Unfortunately, that question doesn’t have a simple answer. But there are some baseline actions every parent can take to boost their child’s safety on popular apps like TikTok, Snapchat, and Instagram.
The safety equation is threefold, with every piece as important to your child’s overall safety as the next.
A report released in 2021 by Common Sense Media found that teenagers (ages 13-18) use an average of nine hours of entertainment media per day and that tweens (ages 8-12) use an average of six hours a day, not including time spent using media for school or homework. The report also found that boys spend more time on gaming devices while girls spend more time on social media and that mobile devices now account for 41% of all screen time among tweens and 46% among teens.
With those numbers increasing each year, it’s even more important to understand the different ways parents can help kids stay safe. Let’s break down a few safety basics on each app that are easy to access and use.
TikTok has some impressive safety guidelines broken down into topics parents could easily use as a springboard for some great family discussions. The guidelines and the Safety Center cover issues such as dangerous TikTok challenges and how to deal with other digital threats such as bullying, sexual content, fake news, and hateful behavior. You can increase safeguards using TikTok’s:
Every app functions differently and thus, offers different ways to boost security. Snapchat provides a helpful guide for parents and educators, including safety tips and conversation starters. You can increase safeguards using Snapchat’s:
Instagram offers parents and minor users a library of safety and mental health resources accessible via the app’s Community Tab at the bottom of its home page. You can increase safeguards using Instagram’s:
One of the most powerful safety features is you—a child’s mom, dad, or guardian. Your face-to-face, heart-to-heart connection will speak loudest in your child’s life. If you haven’t lately, ask your child what’s going on in their digital life, who their friends are, what they’ve created to share, and what’s new, hilarious, or trending. You may get some resistance now and then but don’t let that discourage you from pressing in and doing all the things that help keep them as safe as possible online.
The post Setting Up Parental Controls in TikTok, Instagram & Snapchat appeared first on McAfee Blog.
All the kids are doing it, and so can you.
If you haven’t hopped onto a video chat with the family yet, the holidays are a great time to give it a whirl. While there are plenty of apps and services out there for video chatting, I put together a quick list of the more no-nonsense options.
Broadly speaking, I selected video chatting apps that are free, relatively straightforward, and possibly something you already have on your smartphone, tablet, or computer. From there, I also offer up some advice that can keep you and your family safe while you chat. Let’s take a look …
One of the easiest ways to hop onto a video chat is with your smartphone or tablet. They can save you a bit of configuring and fiddling around with settings because these devices have cameras, microphones, and video chat apps already built in. In that way, they’re optimized for video chat, so using one of them is practically “point and shoot.”
Depending on what smartphone or tablet you have, you have a couple of leading options:
Pre-installed on iPhones and iPads, FaceTime can connect up to 32 people on iOS and Mac OS devices at one time. That way, if you want to chat with a few family members at once, you can have plenty of people join in. Note that only iOS and Mac OS devices can use FaceTime, so the person you want to chat with will need FaceTime on a iOS or Mac OS device as well. Connections are quite simple. In fact, as simple as making a phone call. You can start a FaceTime call with a tap of family members in your contact list. Your device does the rest.
Google Duo is a voice chat app much akin to FaceTime that’s found on plenty of Android phones and tablets. However, it differs from FaceTime because it’s available for multiple platforms. For example, there’s a Google Duo app for iPhones, so if your grandkids have iPhones, they can install the Google Duo on their iPhones and have a chat with you on your Android phone.
Also, you can use Google Duo on a web browser without an app by clicking here. That’s a great option if you have a camera-ready laptop or computer—which we’ll talk about more next.) Google Duo also features “Family Mode” where you can put on masks and make doodles on the screen if you’re signed in with a Google account.
If you don’t have a smartphone or tablet, there are still plenty of options that are free and relatively easy as well.
For starters, you’ll need a laptop or computer with a microphone and camera, which is more or less standard in laptops today. If your laptop or computer doesn’t have that combo already, not to worry. There are plenty of moderately priced web cameras that include a microphone. I suggest getting one with a physical lens cap. That way it always protects your privacy. Likewise, you can always disconnect yours when it’s not in use.
With that, here are a few options for video chatting on your computer:
Originally aimed at a business audience, families and schools quickly latched on to Zoom for its ease of use at the start of the pandemic. Zoom offers unlimited time and unlimited calls for one-to-one meetings yet has a 40-minute limit once there are more than two devices connected. While there’s an app available, I recommend that you set up a free account and run it through a browser window. That way, you don’t have to deal with an install and you’ll always have the latest security protocols in play.
Skype from Microsoft has been around for a long time, getting its start back in the early 2000’s as a voice and text chatting app. Today, it comes standard on Windows PCs and supports apps for all kinds of tablets and smartphones too. Up to 50 people can join, which is of course plenty. If you want to create a video chat without an account, you can simply visit this page and start an instant video chat with a click. That’ll give you a link that you can copy and share with your family. And when they click on that link, you’ll all be connected.
Free to anyone with a free Google Gmail account, you can use Google Meet just by clicking its icon from your Google apps menu or by visiting https://meet.google.com/. Originally designed for businesses, governments, and schools, this premium product is now available to all. Some nice features include the ability to schedule a meeting with your family using Google Calendar and additional security features that help make sure your call is private. Like Zoom and Skype, it can run in the window of your browser, so there’s no app to download and install.
As I mentioned above, there’s practically setup when it comes to running a video call on your smartphone or tablet, as they’re already configured for video. Computers, however, may take a little more effort.
The first thing is to make sure that your microphone, speakers, and camera are all set up and ready to go. If you have a Windows computer, you can check out this quick article to get your audio set up and this article for setting up your camera. For Macs, check out this article for audio and this article for video.
From there, you can log into your video chat app or service of choice and give your audio and video a test just to make sure everything is a go. You can do this before you make a call by starting the app as you normally would and then clicking on the menu item for “Settings.” Each app handles it a little differently, yet the interface should show you if it detects your camera, microphone, and speakers. Once you’re set up, you likely won’t have to go back in and do it again.
Now, it’s time to think like a movie director. As you might think, the camera angle and lighting in your room make all the difference on a video chat.
In a way, the camera is the way you’ll make eye contact with your family. Set the camera or hold your device so that it’s at eye level with you. That way, it’ll appear like you’re making eye contact with them. Few things feel stranger on a video chat than a camera angle that appears to have you looking down at them (and with them looking up your nose in return).
As for lighting, avoid sitting with a light source behind you. The camera will adjust itself to the light source instead of you, putting your face in the dark. Instead, look to have a light source that’s in front and a bit off to the side from you. That’ll light your face without washing out your face in harsh light. Likewise, if you’re sitting in front of a computer monitor while you’re chatting, see if you can lower the brightness on the monitor. That’ll keep your video looking great as well.
Once you’re all set up, here are a few things that will help keep your calls private and secure.
If you’re initiating the chat, be sure to create a password that that uninvited parties can’t join the call. Also, don’t be shy about asking your family members to use a password on the calls they initiate. It’s pretty much a standard practice nowadays.
Many services, like Zoom, allow people to join a video chat by clicking a link. As with any link that’s sent to you, be sure that it’s legitimate. Confirm the link with the family member who sent it, particularly if you weren’t expecting one.
Likewise, make sure that you’re using comprehensive security software that protects you from scam emails and links, plus block links that could send you to sketchy websites. That way, if you do get sent a bogus invite link from a scammer, you’ll be protected.
When you click a link to join a video call from your computer, it will open a new browser tab that will prompt you to join the call. Often, there will be an option to “join using the app,” which your browser will automatically download if you click that option. However, the easiest way to join is by clicking the option to “join using my browser.” In addition to being a no-fuss option, it also means one less app on your device to keep current.
Aside from giving you the latest features and functionality, updates also often include essential security improvements. Set your computer to update itself automatically and consider using security software that will scan for vulnerabilities and install updates automatically as needed.
With the holidays upon us and the and New Year on the horizon, now’s a great time to give video chatting a try. As with any new app you try, do a little research of your own before you download it. Check out the news reviews to see if it’s right for you or if there have been any security concerns.
I hope this overview gives you a great start and that it becomes just one more of the many ways you keep in touch, whether during the holidays or year ’round.
To stay updated on all things McAfee and for more resources on staying secure from home, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.
The post Zooming with the Grandkids: Five Easy Video Chat Apps for the Holidays appeared first on McAfee Blogs.