Authorities in the US released a new cybersecurity advisory yesterday updating organizations on the latest tactics, techniques and procedures (TTPs) used by the Snatch ransomware-as-a-service (RaaS) group.
Although it first appeared in 2018, Snatch has been in continuous development since 2021, borrowing techniques off other operations, the Cybersecurity and Infrastructure Security Agency (CISA) and FBI explained.
It uses a classic double extortion playbook, with victim details being posted to a leak site if they fail to pay up.
“Snatch threat actors have been observed purchasing previously stolen data from other ransomware variants in an attempt to further exploit victims into paying a ransom to avoid having their data released on Snatch’s extortion blog,” the advisory continued.
Read more on ransomware: CISA Unveils Ransomware Notification Initiative
The group typically attempts to brute force RDP endpoints or use credentials purchased on the dark web for initial access, gaining persistence by compromising an administrator account and establishing connections over port 443 to a command-and-control server hosted by a Russian bulletproof hosting service.
Affiliates use tools such as Metasploit and Cobalt Strike for lateral movement and data discovery, sometimes spending up to three months inside a victim network, the advisory added.
They often also attempt to disable antivirus in a rather idiosyncratic way.
“Snatch threat actors use a customized ransomware variant notable for rebooting devices into Safe Mode, enabling the ransomware to circumvent detection by antivirus or endpoint protection, and then encrypting files when few services are running,” the advisory explained.
Victim organizations hail from a variety of critical infrastructure sectors, including the Defense Industrial Base (DIB) and food and agriculture, as well as tech.
Michael Mumcuoglu, CEO of CardinalOps, claimed the advisory may have been issued in response to an uptick in activity from the group of late.
“There has been increased activity by the Snatch ransomware group over the past 12-18 months as they have claimed responsibility for several recent high-profile attacks including ones involving South Africa’s Department of Defense, the California city of Modesto, Canada’s Saskatchewan airport, London-based organization Briars Group and others,” he said.
Nick Hyatt, cyber practice leader at Optiv, claimed the group’s TTPs have not changed much in recent months.
“Between July 2022 and June 2023, we tracked 70 attacks by Snatch across all verticals. Overwhelmingly, those attacks were focused on North America,” he added.