The FBI and the cybersecurity agency CISA on Wednesday published an advisory warning critical infrastructure organizations of ongoing Snatch ransomware attacks.
Active since 2018, Snatch is offered under the ransomware-as-a-service (RaaS) model, and has been targeting organizations in the United States since 2019. Since November 2021, the group has been operating a leaks site, where it threatens to publish stolen data unless a ransom is paid.
Initially called Team Truniger and likely associated with GandCrab, the Snatch ransomware group has been observed purchasing data stolen by other hacking groups, to further extort victims.
The Snatch group, the FBI and CISA’s advisory explains, typically exploits remote desktop protocol (RDP) vulnerabilities for initial access, but was also seen acquiring compromised credentials from cybercrime forums.
The group uses compromised administrator credentials for persistent access to victims’ networks, and establishes command-and-control (C&C) communication over HTTPS. The C&C server, the two agencies say, is hosted by a Russian bulletproof hosting service.
Prior to ransomware deployment, the Snatch threat actors spend up to three months on victims’ networks, searching for valuable data to exfiltrate and identifying systems they can encrypt. They also attempt to disable security software.
Once executed, the Snatch ransomware modifies registry keys, enumerates the system, searches for specific processes, and creates benign processes to execute various batch files. In some cases, it also attempts to delete volume shadow copies.
The ransomware was also seen rebooting systems in Safe Mode, to circumvent endpoint detection solutions and to encrypt victims’ files while only a few services are running on the infected systems.
The malware appends hexadecimal characters to file and folder names and drops a ransom note in each folder, instructing victims to engage in communication over email or using the Tox platform.
“Since November 2021, some victims reported receiving a spoofed call from an unknown female who claimed association with Snatch and directed them to the group’s extortion site,” the FBI and CISA explain.
The two agencies also note that, in some cases, although a different ransomware family was deployed, the victims were extorted by the Snatch group, which led to the stolen data being posted on two ransomware leaks sites.
The FBI and CISA have published indicators of compromise (IoCs) and MITRE ATT&CK tactics and techniques associated with Snatch, as well as a series of recommended mitigations that organizations can implement to improve their cybersecurity posture.