SnowSoul Attack Hits Multiple Chinese Organizations

A hacking group going by the name SnowSoul has claimed responsibility for breaching more than a dozen organizations in China. The group says it has leaked over 30 gigabytes of sensitive data online.

The attack hit a wide range of businesses, from real estate firms to transportation companies and technology providers. According to the group, the leak happened after the victims refused to pay a ransom of just $2,000.

SnowSoul is not a new player in the cybersecurity scene, they set their sights as a ransomware group when they first showed up at the end of last year and locked files with a ransom demand.

Experts from 360 Research looked into how the group operated, while they used encryption to lock files, they also had flaws within that same encryption, which allowed some victims to recover some files from the ransomware group without paying. Now SnowSoul has gone from just a file locker to stealing these same files and leaking them publicly.

Which Companies Suffer Attacks

The list of victims is long and varied. According to dark web intelligence reports, the affected organizations include Dongyu Company, Beijing Shuyu Technology, Jimsar Real Estate, Qitai Huitong, and many others across different regions of China. The leak earned the code name “SnowSoul ID-1270.”

Experts noted that the stolen data contains company financial statements, social security records, balance sheets, and income reports. Database backup files, which are the backbone of any company’s operations, were also taken. The hackers claim they accessed this data after their small ransom demand was turned down.

The Ransom Demand That Backfired

According to reports from cybersecurity news aggregators, SnowSoul demanded only $2,000 from the affected companies. When the companies refused to pay, the hackers made good on their threat.

They published the stolen data online for everyone to see, this tactic is becoming more common. When ransomware groups receive no payment, they often turn to “name and shame” methods to pressure victims.

This shift is dangerous for businesses. Even small organizations are now targets for major data leaks. The fact that a $2,000 demand caused the hackers to leak about 30GB of data shows that no company is too small for them.

SnowSoul’s History of Trouble

Prior to the recent SnowSoul leak late last year, SnowSoul played the role of a distributor of ransomware. Security services such as 360 gathered details of the ransomware and analyzed them shortly after the news became public. Most of the programs locked files using a combination of AES and RSA encryption techniques.

However, during the investigation into the security of the company last year, researchers noticed some significant weaknesses within SnowSoul’s programming. Due to these vulnerabilities, researchers developed a free tool to decrypt all files for the victim. This move flew off the hackers.

At this time, it appears that the leaking of the data has forced SnowSoul to change how they operate as a hacking group. They are now no longer just encrypting victims’ computers; instead, they are also stealing information from victims and using it against them. This makes the group much more dangerous as they have taken hacking and decrypting to a new level.

This double-extortion approach, encrypting data and threatening to leak it, is the same method used by the Medusa ransomware group, which threatened to sell 219GB of patient data from the University of Mississippi Medical Center on the dark web after the healthcare provider refused to pay their $800,000 demand.

The recent activities of the group also serve to remind us that simply backing up data is not enough, we must also ensure that we protect ourselves from the activities of those who target to steal our databases.

Investigations regarding the overall trend of this incident are ongoing. The affected companies are scrambling to secure their networks, they aim to determine exactly what type of data they lost through the attack.