Exclusive: UK royals fall victim to alleged data breach

A ransomware gang claimed overnight to have successfully compromised several members of the royal family of Great Britain.

The Snatch gang made an initial announcement on one of its clear web sites on 10 April, with the hack announcement updated on 15 April and then again on 16 April.

The post lists the names of 25 members of the royal family – including King Charles III, Queen Camilla, and the Prince and Princess of Wales – and includes a link to a small 32-kilobyte file called Royals.zip.

The clear web post also includes a link to the group’s Telegram channel, where it has more to say.

“And today we are glad to represent you all the 25 people of royal family that were hijacked on our project. So those who feel lazy to read can download all the data in one archive,” a Snatch spokesperson posted on 15 April.

The Telegram post links back to the gang’s news site and the .ZIP archive.

As to the files themselves, they appear to be dossiers of personal information compiled by Snatch, on each of the 25 royals listed on the group’s site. Each of the 25 text files includes a short bio of the person in question, followed by email addresses, encrypted and unencrypted passwords, and lists of individuals with links to the royal in question.

The text file for King Charles III, for instance, has the email details of a previous web development intern with the royal household and a personal assistant to TRH Princess Beatrice and Princess Eugenie of York, among dozens of others.

VIEW ALL

Much of the information appears to already be publicly available in some form, such as Instagram pages and YouTube channels, but other details appear to be nicknames or usernames, quite possibly scraped from other data sources and leaks.

In some cases, Snatch has even provided running commentary on the data. Included in an apparent list of passwords associated with King Charles is this line:

“Bensonsasha (Hmm, Sasha Benson is the CEO and Founder of Benson Esthetics. How are they connected?)”

Benson Esthetics is a beauty and wellness company operating out of Bermuda.

Some street addresses, as well as geolocation details, are included in the data.

Looking further back into the group’s Telegram history, it has been sharing this data in individual posts throughout March, while also offering security advice and debunking articles written about the hacking group. The group has also published salacious details of individuals related to other world leaders, including the French President Emmanuel Macron.

For its part, the Royal Household is aware of the claim, and while the UK's National Cyber Security Centre has been in contact, the Royal Household has not reported anything is amiss.

Looking closer at the threat actor, however, working out who Snatch is – and isn’t – and what is motivating them is quite the mystery.

What is motivating Snatch?

Like many similar threat actors, Snatch considers itself a force for good, providing cyber security services and advice for its victims.

However, while its roots lie firmly in ransomware, Snatch released a new manifesto in January 2024, stating that it was moving closer to a hacktivism model of operation than a traditional ransomware gang.

“Business and power are united and go hand in hand. And each leak has its own name and face, both from the side of the business that allowed it and from the side of the authorities covering this business,” Snatch posted on 26 January.

“That’s why from now on, each of our publications will be accompanied by personal data of presidents (owners of companies) and personal data of representatives of authorities assigned to this region. If the authorities don’t care about personal data of ordinary citizens, then they don’t care about their own data leakage either. That’s why from now on, all publications will follow a new formula – the face of the company, the face of the representative of the authority covering the company.

“De jure, any government official has the same rights and freedoms as ordinary citizens, so if a company voluntarily leaks its customers’ and partners’ data to the network, the government official responsible for legislation in this area should also be leaked. We do not hope to change the world and the government’s attitude to what is happening, but we want you to know the face of those responsible for your cyber genocide.”

The group appears to be applying this new manifesto retroactively, too.

Snatch targeted UK food supplier Daylesford Organics in November 2021 – which saw the details of several royals compromised, alongside other UK celebrities – before publishing gigabytes of stolen data in 2022. That leak page was recently updated, however, with a list of “persons responsible for data leakage” added to the data dump on 5 April 2024.

Who is Snatch?

Snatch’s origins date back to 2018 when it was formed by a hacker with links to early ransomware gang GandCrab, members of which would eventually form the infamous REvil ransomware group. That hacker – known as Truniger – recruited for Snatch on a raft of Russian-language hacking forums throughout that year.

A report from the Cybersecurity and Infrastructure Security Agency (CISA) and the FBI, published in September 2023, detailed on the gang’s operations at the time.

“Snatch threat actors have been observed purchasing previously stolen data from other ransomware variants in an attempt to further exploit victims into paying a ransom to avoid having their data released on Snatch’s extortion blog,” CISA said in its alert. The group had also been seen deploying its own malware.

“Prior to deploying the ransomware, Snatch threat actors were observed spending up to three months on a victim’s system. Within this time frame, Snatch threat actors exploited the victim’s network moving laterally across the victim’s network with RDP for the largest possible deployment of ransomware and searching for files and folders for data exfiltration followed by file encryption.”

However, the same report went on to note that the current operators of the Snatch infrastructure – who call themselves Snatch Team – may not be the same group that had been running the ransomware operation.

“Since November 2021, an extortion site operating under the name Snatch served as a clearinghouse for data exfiltrated or stolen from victim companies on Clearnet and TOR hosted by a bulletproof hosting service. In August 2023, individuals claiming to be associated with the blog gave a media interview claiming the blog was not associated with Snatch ransomware and ‘none of our targets has been attacked by Ransomware Snatch …’, despite multiple confirmed Snatch victims’ data appearing on the blog alongside victims associated with other ransomware groups, notably Nokoyawa and Conti.”

Cyber security expert Brian Krebs is not so sure those “individuals” were telling the truth.

“... so far, the Snatch Team has not been able to explain why it is using the very same domain names that the Snatch ransomware group used?” Krebs wrote in a blog post in September 2023, a little over two weeks after CISA and the FBI released their report on the gang.

“Their claim is even more unbelievable because the Snatch Team members told Databreaches.net they didn’t even know that a ransomware group with that name already existed when they initially formed just two years ago.

“This is difficult to swallow because even if they were a separate group, they’d still need to somehow coordinate the transfer of the ransomware group’s domains on the clear and dark webs. If they were hoping for a fresh start or separation, why not just pick a new name and new web destination?”

Krebs’ analysis of the situation is a compelling one – that the group is simply trying to distance itself from its founders, whose operational security was found to be rather lacking, and to appear more benign than its competitors.

“Maybe Snatch Team does not wish to be associated with Snatch Ransomware because they currently believe stealing data and then extorting victim companies for money is somehow less evil than infecting all of the victim’s servers and backups with ransomware,” Krebs said.

“It is also likely that Snatch Team is well aware of how poorly some of their founders covered their tracks online, and are hoping for a do-over on that front.”

That said, the group does not mention its .onion leak site on its Telegram channel at all; instead, it said it would publish its data breaches on its clear web news site.

For now, though, Snatch remains content to steal and publish reams of private company and personal data – but is now attempting to cover its crimes with a fig leaf of apparent hacktivism.

UPDATE: 17/04/24 - added details from the NCSC.

David Hollingworth

David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.