Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Ransomware

Critical Infrastructure Organizations Warned of Snatch Ransomware Attacks

The FBI and CISA are warning critical infrastructure organizations of ongoing Snatch ransomware attacks, which also involve data exfiltration.

The FBI and the cybersecurity agency CISA on Wednesday published an advisory warning critical infrastructure organizations of ongoing Snatch ransomware attacks.

Active since 2018, Snatch is offered under the ransomware-as-a-service (RaaS) model, and has been targeting organizations in the United States since 2019. Since November 2021, the group has been operating a leaks site, where it threatens to publish stolen data unless a ransom is paid.

Initially called Team Truniger and likely associated with GandCrab, the Snatch ransomware group has been observed purchasing data stolen by other hacking groups, to further extort victims.

The Snatch group, the FBI and CISA’s advisory explains, typically exploits remote desktop protocol (RDP) vulnerabilities for initial access, but was also seen acquiring compromised credentials from cybercrime forums.

The group uses compromised administrator credentials for persistent access to victims’ networks, and establishes command-and-control (C&C) communication over HTTPS. The C&C server, the two agencies say, is hosted by a Russian bulletproof hosting service.

Prior to ransomware deployment, the Snatch threat actors spend up to three months on victims’ networks, searching for valuable data to exfiltrate and identifying systems they can encrypt. They also attempt to disable security software.

Once executed, the Snatch ransomware modifies registry keys, enumerates the system, searches for specific processes, and creates benign processes to execute various batch files. In some cases, it also attempts to delete volume shadow copies.

The ransomware was also seen rebooting systems in Safe Mode, to circumvent endpoint detection solutions and to encrypt victims’ files while only a few services are running on the infected systems.

Advertisement. Scroll to continue reading.

The malware appends hexadecimal characters to file and folder names and drops a ransom note in each folder, instructing victims to engage in communication over email or using the Tox platform.

“Since November 2021, some victims reported receiving a spoofed call from an unknown female who claimed association with Snatch and directed them to the group’s extortion site,” the FBI and CISA explain.

The two agencies also note that, in some cases, although a different ransomware family was deployed, the victims were extorted by the Snatch group, which led to the stolen data being posted on two ransomware leaks sites.

The FBI and CISA have published indicators of compromise (IoCs) and MITRE ATT&CK tactics and techniques associated with Snatch, as well as a series of recommended mitigations that organizations can implement to improve their cybersecurity posture.

Related: Cybersecurity Companies Report Surge in Ransomware Attacks

Related: Critical Infrastructure Organizations Warned of BianLian Ransomware Attacks

Related: New Babuk-Based Ransomware Targeting Organizations in US, Korea

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how the LOtL threat landscape has evolved, why traditional endpoint hardening methods fall short, and how adaptive, user-aware approaches can reduce risk.

Watch Now

Join the summit to explore critical threats to public cloud infrastructure, APIs, and identity systems through discussions, case studies, and insights into emerging technologies like AI and LLMs.

Register

People on the Move

Coro, a provider of cybersecurity solutions for SMBs, has appointed Joe Sykora as CEO.

SonicWall has hired Rajnish Mishra as Senior Vice President and Chief Development Officer.

Kenna Security co-founder Ed Bellis has joined Empirical Security as Chief Executive Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.