No more Ketchup?

12331840098?profile=RESIZE_180x180A known ransomware group claims to have breached the systems of Kraft Heinz, but the food company says it cannot verify the cybercriminals’ allegations.  The ransomware group named Snatch publicly named Kraft Heinz on its website on 14 December 2023, but the post appears to have been created on 16 August 2023, which indicates that the attack occurred months ago.


Snatch ransomware first appeared in 2018 and was formerly called Team Truniger. Snatch employs a Ransomware-as-a-Service (RaaS) business model and provides ransomware payloads to other threat actors for a fee.  Snatch also uses double extortion tactics by exfiltrating their victims' sensitive data.  Unless the demanded ransom is paid, Snatch threatens to release the stolen data to the public, pressuring their victims into paying the ransom.[1]

Snatch ransomware operators use brute-automated brute-force attacks against vulnerable remote desktop services for initial access.  Adversaries also acquire compromised credentials from Initial Access Brokers (IABs).  As a critical characteristic, Snatch ransomware forces the infected host to reboot into Safe Mode before encrypting the victim's file.  This defense evasion tactic allows Snatch ransomware to infect its victims without worrying about antivirus or endpoint protection because Windows does not often run endpoint protection mechanisms in Safe Mode.

As an active ransomware group, Snatch continues to add new techniques and tools into its arsenal, and organizations should ensure that their operations are safe against Snatch ransomware attacks.  CISA recommends organizations validate their security controls against the Snatch ransomware group's threat behaviors mapped to the MITRE ATT&CK framework.

In a recent statement, Kraft Heinz said it is investigating claims of a cyberattack that occurred several months ago.  The company said the target appeared to be a decommissioned marketing site hosted on an external platform, but it’s currently unable to verify the hackers’ claims.  “Our internal systems are operating normally, and we currently see no evidence of a broader attack,” Kraft Heinz said.  The cybercriminals have yet to publish any files as proof of their claims.

Kraft Heinz is one of the world’s biggest food and beverage companies, with roughly 37,000 employees worldwide.  The company owns over 20 brands, including Kraft, Heinz, Boca Burger, Gevalia, Grey Poupon, Oscar Mayer, Philadelphia Cream Cheese, Primal Kitchen, and Wattie’s.

The US government stated in a recent report that the individuals behind the operation may have been active since at least 2018, with evidence pointing to links to other well-known ransomware operations.  The group typically encrypts files on the targeted organization’s systems and steals data it threatens to leak to increase the chances of getting paid.  Its leak website currently names more than 120 alleged victims. It was discovered a few months ago that Snatch’s site had been leaking data related to its internal operations, as well as the IPs of visitors.


This article is presented at no charge for educational and informational purposes only.

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization.  Call for assistance.  For questions, comments, a demo, or assistance, please get in touch with the office directly at 1-844-492-7225 or   




REDSHORTS - Weekly Cyber Intelligence Briefings



E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!