The Snatch Ransomware group was first discovered at the end of 2019. The ransomware gained publicity due to its novel encryption method in which is reboots that target machine into safe mode and disables a number of security services before encrypting files, limiting the likelihood of detection.
The Ransomware also differs from major groups as they use targeted attacks rather than large phishing campaigns to gain access to specific companies. The group has been described as a big game hunter that targets large corporations and government organizations.
Initial access usually exploits vulnerabilities in Remote Desktop Protocol (RDP), Virtual Network Computing (VNC), TeamViewer, WebShell, and SQL Injection.[1] Once initial access is established the group will lay in wait slowly escalating their privileges until they can access internal domain controllers, spreading the malware to as many computers on the network as possible. The group spreads using legitimate tools including Cobalt Strike, Advanced Port Scanner, Process Hacker, IObit Uninstaller, and more making it difficult to detect. The final step is to add a registry key and Windows service to start Snatch in Safe Mode and force the infected machines to reboot. Upon reboot Snatch begins encrypting files. The group then uses double extortion tactics by exfiltrating information and threatening to leak it unless the ransom is paid. Snatch ransomware has been observed running on Windows versions 7 through 10 in both 32 and 64-bit systems.
According to the Cyber Threat Analysis Center (CTAC) tool by Red Sky Alliance, recent targets of the Snatch Ransomware group are located around the world including the United States, England, India, Thailand, and Sweden. Pictured below is a screenshot from CTAC showing how the number of compromised organizations posted on the Snatch TOR site in the last ninety days. Though the group has been around for close to four years they continue to be active and effective with seventy-six (76) posts in the last ninety days.
To protect your organization from Snatch Ransomware attacks it is important to close internet facing RDP ports and use a VPN to connect to the organization’s network. Using strong passwords and multifactor authentication can also help attackers from gaining access through brute force attacks. Based on a report from Sophos, the majority of initial access locations include unprotected and unmonitored devices, this means it is important to keep track of the devices on your network and conduct regular vulnerability scans to minimize the security gaps that exist. [2]
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs. com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www. redskyalliance. org/
- Website: https://www. wapacklabs. com/
- LinkedIn: https://www. linkedin. com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee. gotowebinar. com/register/3702558539639477516
[1] https://www.pcrisk.com/internet-threat-news/16543-snatch-ransomware-has-a-new-trick
[2] https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/
Comments