Inactive ransomware operator
← All groupssnake
aka Turla, VENOMOUS Bear, Group 88, Waterbug, WRAITH, Uroburos, Pfinet, TAG_0530, KRYPTON, Hippo Team, Pacifier APT, Popeye, SIG23, IRON HUNTER, MAKERSMARK, ATK13, G0010, ITG12, Blue Python, SUMMIT, UNC4210, Secret Blizzard, UAC-0144, UAC-0024, UAC-0003 · 3 victims indexed · first seen 6 years ago · last activity 6 years ago
3
Victims indexed
#266 of 348 tracked operators
1m
Active period
May 2020 → Jun 2020
2
Countries hit
top AR · 1
At a glance
- Status
- inactive
- Aliases
- Turla, VENOMOUS Bear, Group 88, Waterbug, WRAITH, Uroburos, Pfinet, TAG_0530, KRYPTON, Hippo Team, Pacifier APT, Popeye, SIG23, IRON HUNTER, MAKERSMARK, ATK13, G0010, ITG12, Blue Python, SUMMIT, UNC4210, Secret Blizzard, UAC-0144, UAC-0024, UAC-0003
- First seen
- 6 years ago
- Last activity
- 6 years ago
- Primary sector
- Critical Manufacturing · 1 hits
- Suspected origin
- 🇷🇺RU
About
The Snake ransomware group is a relatively obscure threat actor that emerged in May 2020 with a financially motivated agenda, having conducted a limited number of documented attacks with only three known victims to date. The group's origin and affiliations remain largely unknown, with insufficient public documentation from major security firms or law enforcement agencies to determine their country of origin, operational structure, or potential connections to other cybercriminal organizations. Based on limited available data, Snake appears to target critical infrastructure sectors including Critical Manufacturing, Healthcare and Public Health, and Energy, with observed activity spanning Argentina and Germany, though their specific attack methodologies, initial access vectors, and technical capabilities have not been extensively documented by reputable security researchers. Due to the group's limited operational footprint and lack of high-profile campaigns or major incidents reported by CISA, FBI, or established threat intelligence firms, there are no notable campaigns or significant ransoms on record that would warrant detailed analysis. The current operational status of the Snake ransomware group remains unclear given the sparse public intelligence available about their activities beyond the initial observation period.
References
37 linksExternal sources curated by the MISP threat-intel community.
- circl.lu/pub/tr-25/
- securelist.com/introducing-whitebear/81638/
- securelist.com/the-epic-turla-operation/65545/
- cfr.org/interactive/cyber-operations/turla
- nytimes.com/2010/08/26/technology/26cyber.html
- securelist.com/blog/research/67962/the-penquin-turla-2/
- kaspersky.com/blog/moonlight-maze-the-lessons/6713/
- www2.fireeye.com/rs/848-DID-242/images/rpt-witchcoven.pdf
- securelist.com/analysis/publications/65545/the-epic-turla-operation/
- threatpost.com/linux-modules-connected-to-turla-apt-discovered/109765/
- securelist.com/satellite-turla-apt-command-and-control-in-the-sky/72081/
- welivesecurity.com/2018/05/22/turla-mosquito-shift-towards-generic-tools/
- first.org/resources/papers/tbilisi2014/turla-operations_and_development.pdf
- yle.fi/uutiset/osasto/news/russian_group_behind_2013_foreign_ministry_hack/8591548
- welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/
- securelist.com/blog/research/72081/satellite-turla-apt-command-and-control-in-the-sky/
- nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/november/turla-png-dropper-is-back/
- docs.broadcom.com/doc/waterbug-attack-group
- theguardian.com/technology/2014/aug/07/turla-hackers-spying-governments-researcher-kaspersky-symantec
- bleepingcomputer.com/news/security/turla-outlook-backdoor-uses-clever-tactics-for-stealth-and-persistence/
Timeline
2 months2020-05-01T00:00:00+00:002020-06-01T00:00:00+00:00
Top countries
🇦🇷 AR
1
🇩🇪 DE
1
Top sectors
Critical Manufacturing
1
Healthcare and Public Health
1
Energy
1
MITRE ATT&CK
68 techniques · 13 tacticsTactics
CollectionCommand And ControlCredential AccessDefense ImpairmentDiscoveryExecutionExfiltrationInitial AccessLateral MovementPersistencePrivilege EscalationResource DevelopmentStealth
Techniques
- T1005Data from Local System
- T1007System Service Discovery
- T1012Query Registry
- T1016System Network Configuration Discovery
- T1016.001Internet Connection Discovery
- T1018Remote System Discovery
- T1021.002SMB/Windows Admin Shares
- T1025Data from Removable Media
- T1027.005Indicator Removal from Tools
- T1027.010Command Obfuscation
- T1027.011Fileless Storage
- T1036.005Match Legitimate Resource Name or Location
- T1049System Network Connections Discovery
- T1055Process Injection
- T1055.001Dynamic-link Library Injection
- T1057Process Discovery
- T1059.001PowerShell
- T1059.003Windows Command Shell
- T1059.005Visual Basic
- T1059.006Python
- T1059.007JavaScript
- T1068Exploitation for Privilege Escalation
- T1069.001Local Groups
- T1069.002Domain Groups
- T1071.001Web Protocols
- T1071.003Mail Protocols
- T1078.003Local Accounts
- T1082System Information Discovery
- T1083File and Directory Discovery
- T1087.001Local Account
- T1087.002Domain Account
- T1090Proxy
- T1090.001Internal Proxy
- T1102Web Service
- T1102.002Bidirectional Communication
- T1105Ingress Tool Transfer
- T1106Native API
- T1110Brute Force
- T1112Modify Registry
- T1120Peripheral Device Discovery
- T1124System Time Discovery
- T1134.002Create Process with Token
- T1140Deobfuscate/Decode Files or Information
- T1189Drive-by Compromise
- T1201Password Policy Discovery
- T1204.001Malicious Link
- T1213.006Databases
- T1518.001Security Software Discovery
- T1546.003Windows Management Instrumentation Event Subscription
- T1546.013PowerShell Profile
- T1547.001Registry Run Keys / Startup Folder
- T1547.004Winlogon Helper DLL
- T1553.006Code Signing Policy Modification
- T1555.004Windows Credential Manager
- T1560.001Archive via Utility
- T1564.012File/Path Exclusions
- T1566.002Spearphishing Link
- T1567.002Exfiltration to Cloud Storage
- T1570Lateral Tool Transfer
- T1583.006Web Services
- T1584.003Virtual Private Server
- T1584.004Server
- T1584.006Web Services
- T1587.001Malware
- T1588.001Malware
- T1588.002Tool
- T1615Group Policy Discovery
- T1685Disable or Modify Tools
Recent victims
Loading…
Source
Updated 6 years agoData on this page is sourced from the group's own leak posts, cross-checked with public ransomware trackers (RansomLook, ransomware.live, RansomWatch), MITRE ATT&CK, and our own Tor and Telegram crawlers. This is a public observatory page — share freely.