Cybersecurity Snapshots - Snatch Ransomware

By aekwall 

The FBI and CISA warn companies and critical infrastructure organizations to be on the lookout for a ransomware group called Snatch. The group has been active since 2018 under the Ransomware-as-a-Service (RaaS) model, and has been targeting organizations in the United States since 2019. Since November 2021, the group has been operating a leaks site, threatening to publish stolen data unless a ransom is paid. The Snatch ransomware group targets various types of organizations, including critical infrastructure sectors in countries such as the United States, United Kingdom, France, and India. Some organizations the Snatch ransomware gang breached include Heinz, Florida Department of Veterans Affairs (FDVA), Tyson Foods, Briars Group, EliTech, and Mount Desert Hospital in Maine.

The FBI and CISA warned that the group typically encrypts files on the targeted organization's systems and steals data that it threatens to leak to increase the chances of getting paid. Its leak website currently names more than 120 alleged victims. The group was initially called Team Truniger and is likely associated with GandCrab. The Snatch ransomware group has been observed purchasing data stolen by other hacking groups to extort victims further.

The Snatch ransomware group typically exploits Remote Desktop Protocol (RDP) vulnerabilities for initial access but has also been seen acquiring compromised credentials from cybercrime forums. The FBI and CISA noted that the group uses compromised administrator credentials for persistent access to victims' networks and establishes Command-and-Control (C&C) communication over HTTPS. The C&C server, the two agencies say, is hosted by a Russian bulletproof hosting service. Prior to ransomware deployment, the Snatch threat actors spend up to three months on victims' networks, searching for valuable data to exfiltrate and identifying systems they can encrypt. They also attempt to disable security software. The FBI and CISA noted that once executed, the Snatch ransomware modifies registry keys, enumerates the system, searches for specific processes, and creates benign processes to execute various batch files. In some cases, it also attempts to delete volume shadow copies. The FBI and CISA also observed the ransomware rebooting systems in Safe Mode to circumvent endpoint detection solutions and to encrypt victims' files while only a few services are running on the infected systems.  The malware appends hexadecimal characters to file and folder names and drops a ransom note in each folder, instructing victims to engage in communication over email or using the Tox platform.

Organizations need to practice basic cybersecurity hygiene to help combat the threat of being affected by ransomware. Organizations should be on the lookout for Indicators of Compromise (IOCs) by Snatch Ransomware as the number of victims is expected to increase. 

To see previous articles, please visit the Cybersecurity Snapshots Archive.