The cybercriminals who recently broke into Snowflake customers demand between 300,000 and 5 million dollars (between 280,000 and 4,6 million euros) for decryption or return of the captured data. According to an analyst at cybersecurity firm Mandiant, hackers have tried to extort at least ten companies this way. He expects that number to increase.

Hackers used stolen user data to break into at least 165 Snowflake customer accounts. Ticketmaster, the bank Santander, and Advance Auto Parts have been victims of such attacks. In the process, user data of hundreds of millions of customers was stolen. Pure Storage also reported an intrusion.

We reported earlier that hackers used a self-built tool to break into Snowflake's online environments without multifactor authentication (MFA) active. The breaches did not happen because of a vulnerability in Snowflake's platform. Nevertheless, the lack of MFA allowed criminals to view login credentials and Snowflake customers' databases. The hackers (known as UNC5537) abused those login credentials to log into these customers' protected environments.

It was not initially known how many customers were affected. Still, Bloomberg reports based on statements by Austin Larsen, senior threat analyst at Mandiant, that a more complete picture of the extent of the data captured is now emerging. Larsen expects to see more cases soon of companies having to cough up ransom to get their data back.

Criminal plan enters next phase

According to Larsen, the criminals' plan is entering a new phase as they seek to monetize the most valuable information. This means, for example, offering illegally obtained data on criminal forums at higher prices than usual. This alone can pressure legitimate data owners to pay up, as they want to prevent their data from being accessed by other criminals.

Larsen said the hackers, who are said to be operating from North America and Turkey, are extremely brazen. Cybersecurity experts investigating the case have faced threats. Fake nude photos were also allegedly generated of a researcher using AI in an attempt to dissuade him from further digging.

According to Mandiant, it is possible that UNC5537 has significant overlap with the group Scattered Spider, whose leader was recently arrested in Spain. However, it remains difficult to decipher how these loose-fitting criminal alliances work. Mandiant, cooperating with Snowflake in this investigation, has prepared instructions for companies that have fallen victim to UNC5537.

Also read: Mandiant reports at least 165 Snowflake customers affected in series of hacking attempts