Snatch ransomware Dissection

The U.S. FBI and the CISA released a joint cybersecurity advisory warning of the Snatch ransomware operation.

Snatch first appeared in 2018 and operates on a ransomware-as-a-service model. The first known victim in the U.S. of a Snatch ransomware attack was ASP.NET hosting provider SmarterASP.NET in 2019.

The joint advisory echos the TTP’s associated with Snatch ransomware identified through FBI investigations as recently as June 1, 2023.

Snatch threat actors are said to be consistently evolving their tactics to take advantage of current trends and have leveraged the successes of other ransomware operations. Affiliates using Snatch have targeted critical infrastructure sectors, including companies and organizations in the defense, food and agriculture, and information technology sectors

Like many ransomware actors over the last few years, Snatch operates on a so-called double-extortion basis, both encrypting data and stealing it demanding that a ransom be paid not only for a decryption key but also a promise that the stolen data will not be published on Snatch’s dark web site.

Recent victims of Snatch ransomware attacks, as listed on their dark web site, include the Florida Department of Veteran’s Affairs, Zilli, CEFCO Inc., the South African Department of Defense and the Briars Group Ltd.

A unique tactic used by the Snatch ransomware group leverages ‘stealthy malware’ that takes advantage of the fact that many Windows computers do not often run endpoint protection mechanisms in safemode. Snatch ransomware avoids detection by forcing infected hosts to reboot into Safe Mode.

In many attacks, snatch operators have targeted weaknesses in the RDP to gain administrator-level access to a target network. In other instances, they have used stolen or purchased credentials to gain an initial foothold. Once on a network, the threat actor can sometimes spend up to three months moving around the network, searching for files and folders to target.

The FBI and CISA advisory described Snatch operators as using a combination of legitimate and malicious tools on compromised networks. These include post-compromise tools such as Metasploit open source penetration testing tool, Cobalt Strike for later movement, and utilities such as sc.exe to create, query, add, and delete services and perform other tasks.

Indicators of Compromise

• CAB3D74D1DADE95B52928E4D9DFC003FF5ADB2E082F59377D049A91952E8BB3B419DB2FA9D3F
• 7229828E766B9058D329B2B4BC0EDDD11612CBCCFA4811532CABC76ACF703074E0D1501F8418
• 83E6E3CFEC0E4C8E7F7B6E01F6E86CF70AE8D4E75A59126A2C52FE9F568B4072CA78EF2B3C97
• 0FF26770BFAEAD95194506E6970CC1C395B04159038D785DE316F05CE6DE67324C6038727A58
• 0965cb8ee38adedd9ba06bdad9220a35890c2df0e4c78d0559cd6da653bf740f
• 1fbdb97893d09d59575c3ef95df3c929fe6b6ddf1b273283e4efadf94cdc802d
• 5950b4e27554585123d7fca44e83169375c6001201e3bf26e57d079437e70bcd
• 7018240d67fd11847c7f9737eaaae45794b37a5c27ffd02beaacaf6ae13352b3
• 28e82f28d0b9eb6a53d22983e21a9505ada925ebb61382fabebd76b8c4acff7c
• fc31043b5f079ce88385883668eeebba76a62f77954a960fb03bf46f47dbb066
• a201f7f81277e28c0bdd680427b979aee70e42e8a98c67f11e7c83d02f8fe7ae
• 6992aaad3c47b938309fc1e6f37179eb51f028536f8afc02e4986312e29220c0
• 510e9fa38a08d446189c34fe6125295f410b36f00aceb65e7b4508e9d7c4e1d1
• ed0fd61bf82660a69f5bfe0e66457cfe56d66dd2b310e9e97657c37779aef65d
• 2155a029a024a2ffa4eff9108ac15c7db527ca1c8f89ccfd94cc3a70b77cfc57
• 251427c578eaa814f07037fbe6e388b3bc86ed3800d7887c9d24e7b94176e30d
• 3295f5029f9c9549a584fa13bc6c25520b4ff9a4b2feb1d9e935cc9e4e0f0924
• 6c9d8c577dddf9cc480f330617e263a6ee4461651b4dec1f7215bda77df911e7
• 84e1476c6b21531de62bbac67e52ab2ac14aa7a30f504ecf33e6b62aa33d1fe5
• a80c7fe1f88cf24ad4c55910a9f2189f1eedad25d7d0fd53dbfe6bdd68912a84
• b998a8c15cc19c8c31c89b30f692a40b14d7a6c09233eb976c07f19a84eccb40
• 1fbdb97893d09d59575c3ef95df3c929fe6b6ddf1b273283e4efadf94cdc802d
• 0965cb8ee38adedd9ba06bdad9220a35890c2df0e4c78d0559cd6da653bf740f

MITRE ATT&CK

Gather Victim Network Information

T1590

Acquire Infrastructure: Virtual Private Server

T1583.003

Valid Accounts

T1078

External Remote Services

T1133

Command and Scripting Interpreter: Windows Command Shell

T1059.003

System Services: Service Execution

T1569.002

Valid Accounts: Domain Accounts

T1078.002

Masquerading

T1036

Indicator Removal: File Deletion

T1070.004

Modify Registry

T1112

Impair Defenses: Disable or Modify Tools

T1562.001

Brute Force: Password Guessing

T1110.001

Query Registry

T1012

Process Discovery

T1057

Remote Services: Remote Desktop Protocol

T1021.001

Data from Local System

T1005

Application Layer Protocols: Web Protocols

T1071.001

Exfiltration

TA0010

Data Encrypted for Impact

T1486

Inhibit System Recovery

T1490