Snatch Ransomware Mastermind Unmasked as Semyon Tretyakov
Cybersecurity experts have identified the key figure behind the Snatch ransomware group, active since 2018. The group, previously known as Team Truniger, is linked to Semyon Tretyakov, using the online handle semen7907. The Snatch group, led by Truniger, employs a unique ransomware variant that can reboot Windows devices into Safe Mode to evade detection. Once in Safe Mode, the malware encrypts files, holding them hostage until a ransom is paid. The group's darknet website was recently found leaking data about its users and internal operations, exposing their methods.
Flashpoint, a cybersecurity firm, traced the group's origins back to 2018 when Truniger recruited 'pen testers' from Russian language cybercrime forums and public boards, including sysadmins.ru under the username semen7907. Tretyakov's email address, [email protected], was also linked to multiple accounts and breached records. The FBI and CISA report that the group was initially named Team Truniger, after its founder.
Snatch threat actors have been known to purchase previously stolen data from other ransomware variants to further exploit their victims. Truniger was previously an affiliate of GandCrab, an early ransomware-as-a-service offering that dissolved in 2019 and is believed to have evolved into REvil.
The exposure of Tretyakov's involvement in the Snatch ransomware group highlights the ongoing threat posed by these cybercriminal organizations. Despite a claim of disassociation from the current occupants of Snatch's domains, cybersecurity experts remain vigilant. As ransomware groups continue to evolve and collaborate, understanding their origins and methods is crucial for developing effective defenses.
