CONFERENCE On Demand: Cyber AI & Automation Summit - Watch Now
Connect with us

Hi, what are you looking for?



Critical Infrastructure Organizations Warned of Snatch Ransomware Attacks

The FBI and CISA are warning critical infrastructure organizations of ongoing Snatch ransomware attacks, which also involve data exfiltration.

The FBI and the cybersecurity agency CISA on Wednesday published an advisory warning critical infrastructure organizations of ongoing Snatch ransomware attacks.

Active since 2018, Snatch is offered under the ransomware-as-a-service (RaaS) model, and has been targeting organizations in the United States since 2019. Since November 2021, the group has been operating a leaks site, where it threatens to publish stolen data unless a ransom is paid.

Initially called Team Truniger and likely associated with GandCrab, the Snatch ransomware group has been observed purchasing data stolen by other hacking groups, to further extort victims.

The Snatch group, the FBI and CISA’s advisory explains, typically exploits remote desktop protocol (RDP) vulnerabilities for initial access, but was also seen acquiring compromised credentials from cybercrime forums.

The group uses compromised administrator credentials for persistent access to victims’ networks, and establishes command-and-control (C&C) communication over HTTPS. The C&C server, the two agencies say, is hosted by a Russian bulletproof hosting service.

Prior to ransomware deployment, the Snatch threat actors spend up to three months on victims’ networks, searching for valuable data to exfiltrate and identifying systems they can encrypt. They also attempt to disable security software.

Once executed, the Snatch ransomware modifies registry keys, enumerates the system, searches for specific processes, and creates benign processes to execute various batch files. In some cases, it also attempts to delete volume shadow copies.

The ransomware was also seen rebooting systems in Safe Mode, to circumvent endpoint detection solutions and to encrypt victims’ files while only a few services are running on the infected systems.

Advertisement. Scroll to continue reading.

The malware appends hexadecimal characters to file and folder names and drops a ransom note in each folder, instructing victims to engage in communication over email or using the Tox platform.

“Since November 2021, some victims reported receiving a spoofed call from an unknown female who claimed association with Snatch and directed them to the group’s extortion site,” the FBI and CISA explain.

The two agencies also note that, in some cases, although a different ransomware family was deployed, the victims were extorted by the Snatch group, which led to the stolen data being posted on two ransomware leaks sites.

The FBI and CISA have published indicators of compromise (IoCs) and MITRE ATT&CK tactics and techniques associated with Snatch, as well as a series of recommended mitigations that organizations can implement to improve their cybersecurity posture.

Related: Cybersecurity Companies Report Surge in Ransomware Attacks

Related: Critical Infrastructure Organizations Warned of BianLian Ransomware Attacks

Related: New Babuk-Based Ransomware Targeting Organizations in US, Korea

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


A SaaS ransomware attack against a company’s Sharepoint Online was done without using a compromised endpoint.


Several major organizations are confirming impact from the latest zero-day exploits hitting Fortra's GoAnywhere software.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

Data Breaches

KFC and Taco Bell parent company Yum Brands says personal information was compromised in a January 2023 ransomware attack.


US payments giant NCR has confirmed being targeted in a ransomware attack for which the BlackCat/Alphv group has taken credit.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.