In a recent cybersecurity advisory, the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) have shed light on the activities of the Snatch ransomware group, a Russia-based criminal organization. Despite its existence since 2018, the group has garnered attention in recent months due to its audacious attacks on various sectors, including agriculture, IT, and defense industries. These agencies have issued a joint warning, emphasizing the evolving tactics employed by Snatch and the need for heightened awareness among potential targets.
Snatch: A Notorious Ransomware-as-a-Service Operation:
The Snatch ransomware gang, often referred to as a Ransomware-as-a-Service (RaaS) operation, has been a persistent menace to organizations worldwide. Despite its origins dating back to 2018, it has recently garnered significant attention due to high-profile attacks on South Africa’s Defense Department, the Metropolitan Opera, and the city government of Modesto, California.
Evolution of Tactics:
According to the FBI and CISA advisory, Snatch has consistently evolved its tactics since mid-2021 to align with current cybercriminal trends. One notable aspect is its use of a Russian bulletproof hosting service for command-and-control servers, making it challenging to trace their activities. Snatch has also demonstrated the ability to initiate connections through virtual private networks (VPNs) and has exhibited familiarity with circumventing antivirus software by rebooting devices into Safe Mode.
Targeting Critical Infrastructure Sectors:
Snatch’s targets are not limited to a single industry; it has cast its net wide, aiming at crucial sectors such as the Defense Industrial Base (DIB), Food and Agriculture, and Information Technology. This broad range of targets highlights its audacious and adaptable nature.
Ransomware Double Extortion:
The modus operandi of Snatch includes the infamous double extortion tactic. In addition to encrypting victims’ data, the gang exfiltrates sensitive information and threatens to release it on its extortion blog if the ransom is not paid promptly. This strategy adds a layer of pressure on victims to comply.
Affiliations and Intricate Techniques:
The Snatch gang has not shied away from affiliating with other ransomware groups, purchasing stolen data, and using it to extort victims further. Their attacks are characterized by brute-forcing Remote Desktop Protocol (RDP) endpoints, using dark web-acquired credentials, and deploying tools like Metasploit and Cobalt Strike for lateral movement and data exfiltration.
Unique Safe Mode Reboot:
One of Snatch’s distinguishing features is its ability to force Windows systems to reboot into Safe Mode during attacks. This clever tactic allows the ransomware to operate undetected by many antivirus tools that do not function in Safe Mode. This innovative approach makes Snatch a formidable adversary.
Snatch’s operations have caused havoc worldwide. Notable incidents include crippling the IT system of Modesto, California, disrupting a Wisconsin school district’s network, and compromising one of Florida’s largest hospitals, affecting over 1.2 million patients. Furthermore, an attack on South Africa’s Defense Department during the BRICS Summit nearly triggered an international crisis.
Focus on North America:
Recent data suggests that Snatch has primarily focused its attacks on North American targets. Between July 2022 and June 2023, the group launched 70 attacks in the region, emphasizing its intention to infiltrate and exploit organizations in this geographic area.
The Snatch ransomware gang is a formidable and evolving threat that poses significant risks to organizations across various sectors. Its ability to adapt, coupled with its double extortion tactics and Safe Mode reboot capabilities, make it a persistent adversary. As the cyber threat landscape continues to evolve, organizations must remain vigilant and implement robust cybersecurity measures to protect against such threats. Collaborative efforts between law enforcement agencies and cybersecurity professionals are essential to combat this growing menace. At SpearTip, our certified engineers are working 24/7/365 at our Security Operations Center monitoring companies’ networks for potential ransomware threats and ready to respond to incidents at a moment’s notice. The remediation team works to restore companies’ operations, reclaim their network by isolating malware, and recover business-critical assets. SpearTip will examine companies’ security posture to improve the weak points in their networks. Our team engages with companies’ people, processes, and technology to measure the maturity of the technical environments. For all vulnerabilities uncovered, our analysts and engineers provide technical roadmaps ensuring companies have the awareness and support to optimize their overall cybersecurity posture.
If your company is experiencing a breach, call our Security Operations Center at 833.997.7327 to speak directly with an engineer.