The U.S. FBI and the CISA released a joint cybersecurity advisory warning of the Snatch ransomware operation.
Snatch first appeared in 2018 and operates on a ransomware-as-a-service model. The first known victim in the U.S. of a Snatch ransomware attack was ASP.NET hosting provider SmarterASP.NET in 2019.
The joint advisory echos the TTP’s associated with Snatch ransomware identified through FBI investigations as recently as June 1, 2023.
Snatch threat actors are said to be consistently evolving their tactics to take advantage of current trends and have leveraged the successes of other ransomware operations. Affiliates using Snatch have targeted critical infrastructure sectors, including companies and organizations in the defense, food and agriculture, and information technology sectors
Like many ransomware actors over the last few years, Snatch operates on a so-called double-extortion basis, both encrypting data and stealing it demanding that a ransom be paid not only for a decryption key but also a promise that the stolen data will not be published on Snatch’s dark web site.
Recent victims of Snatch ransomware attacks, as listed on their dark web site, include the Florida Department of Veteran’s Affairs, Zilli, CEFCO Inc., the South African Department of Defense and the Briars Group Ltd.
A unique tactic used by the Snatch ransomware group leverages ‘stealthy malware’ that takes advantage of the fact that many Windows computers do not often run endpoint protection mechanisms in safemode. Snatch ransomware avoids detection by forcing infected hosts to reboot into Safe Mode.
In many attacks, snatch operators have targeted weaknesses in the RDP to gain administrator-level access to a target network. In other instances, they have used stolen or purchased credentials to gain an initial foothold. Once on a network, the threat actor can sometimes spend up to three months moving around the network, searching for files and folders to target.
The FBI and CISA advisory described Snatch operators as using a combination of legitimate and malicious tools on compromised networks. These include post-compromise tools such as Metasploit open source penetration testing tool, Cobalt Strike for later movement, and utilities such as sc.exe to create, query, add, and delete services and perform other tasks.
Indicators of Compromise
Gather Victim Network Information
Acquire Infrastructure: Virtual Private Server
External Remote Services
Command and Scripting Interpreter: Windows Command Shell
System Services: Service Execution
Valid Accounts: Domain Accounts
Indicator Removal: File Deletion
Impair Defenses: Disable or Modify Tools
Brute Force: Password Guessing
Remote Services: Remote Desktop Protocol
Data from Local System
Application Layer Protocols: Web Protocols
Data Encrypted for Impact
Inhibit System Recovery