A recent joint advisory from the Federal Bureau of Investigations (FBI) and the US Cybersecurity and Infrastructure Security Agency (CISA) has shed light on the growing threat posed by the ransomware-as-a-service (RaaS) operation known as “Snatch.” The alert emphasized the group’s targeting of critical infrastructure sectors and highlighted its evolving tactics and capabilities.
According to the advisory, Snatch has been active since at least 2018 and has recently ramped up its activities, particularly over the past 12 to 18 months. The threat actor has claimed responsibility for several high-profile attacks, including those targeting South Africa’s Department of Defense, the city of Modesto in California, Canada’s Saskatchewan airport, and the London-based organization Briars Group, among others.
One of the key features that sets Snatch apart is its ability to force Windows systems to reboot into Safe Mode during an attack. This allows the malware to encrypt files without being detected by antivirus tools, which often do not run in Safe Mode. Security researchers at Sophos, one of the first security vendors to track Snatch, warned about the severity of this risk, noting that it needed to be highlighted to the security industry and end users.
The Snatch ransomware also has the capability to steal data from compromised systems before encryption, which it has routinely used to exfiltrate sensitive data from victim organizations. The threat actors behind Snatch have been known to threaten to publicly leak or sell the stolen data if their ransom demands are not met. In some cases, they have even purchased data stolen by other ransomware groups to use as leverage against their victims.
In many instances, Snatch operators have exploited weaknesses in the Remote Desktop Protocol (RDP) to gain administrator-level access to target networks. They have also used stolen or purchased credentials to establish an initial foothold. Once inside a network, the threat actor can spend several months moving laterally and searching for valuable files and folders to encrypt.
The FBI and CISA advisory described Snatch operators as using a combination of legitimate and malicious tools on compromised networks. These include the Metasploit open-source penetration testing tool for post-compromise activities, Cobalt Strike for lateral movement, and utilities like sc.exe for various tasks.
While Snatch has targeted various sectors, the advisory highlighted that North American organizations have been the primary focus of their attacks. Between July 2022 and June 2023, there were 70 tracked attacks by Snatch across different verticals, with the majority occurring in North America.
The timing of the advisory is not explicitly explained, but it suggests that Snatch continues to pose a significant threat to critical infrastructure sectors. Organizations within these sectors should prioritize their cybersecurity measures, particularly in terms of securing Remote Desktop Protocol and ensuring endpoint protection mechanisms are active even in Safe Mode.
The advisory serves as a reminder of the constantly evolving nature of ransomware threats and the need for continued vigilance and proactive defense strategies. Public-private collaboration, as exemplified by the joint FBI and CISA advisory, is crucial in disseminating threat intelligence and empowering organizations to protect themselves against such sophisticated cyber threats.