In a joint cybersecurity advisory, the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) have raised an alarm regarding the activities of Snatch, a notorious ransomware-as-a-service (RaaS) operation that has been wreaking havoc since at least 2018. The advisory warns that Snatch has escalated its attacks on critical infrastructure sectors, particularly focusing on the IT sector, the U.S. defense industrial base, and the food and agriculture vertical. Snatch’s evolving tactics, use of stolen data, and unique features have made it a significant threat to organizations across North America. Let’s delve into the details of this nefarious ransomware and the measures organizations can take to protect themselves.
Overview of Snatch Ransomware-as-a-Service (RaaS) Operation
Since its emergence in 2018, Snatch has become one of the most prominent ransomware-as-a-service operations in the cybercriminal landscape. With its sophisticated infrastructure and extensive network of affiliates, Snatch offers ransomware capabilities to other threat actors, enabling them to launch ransomware attacks more effectively.
Warning about Snatch Targeting Critical Infrastructure Sectors
The FBI and CISA advisory highlights the increasing threats posed by Snatch to critical infrastructure sectors. These sectors, which are the backbone of nations’ economies, are particularly attractive targets for ransomware operators seeking financial gain or potential disruption.
Evolution of Snatch’s tactics and usage of stolen data
Snatch has adapted its tactics over time, leveraging stolen data from other ransomware variants to exploit victims into paying the ransom. This not only increases the credibility of their threats but also raises concerns about the potential sale or public leak of sensitive information if the ransom demands are not met.
Snatch’s Unique Capability: Forcing Systems into Safe Mode
One of the most notable capabilities of Snatch is its ability to force Windows systems to reboot into Safe Mode. By doing so, this insidious malware can encrypt files undetected by traditional antivirus tools, as Safe Mode limits the number of running Windows services.
Safe Mode Evasion and File Encryption
Snatch’s ability to operate in Safe Mode allows it to circumvent endpoint security controls and encrypt files without detection. This stealthy approach poses a significant challenge for organizations relying solely on traditional antivirus solutions for protection.
Exfiltration of Data and Threats of Public Leak
Ransomware operators go beyond encryption and have been known to exfiltrate sensitive data from victim organizations. They threaten to publicly release or sell this data unless the ransom is paid promptly. Such extortion tactics increase the pressure on victims to comply with their demands.
Targeting weaknesses in Remote Desktop Protocol (RDP) and stolen credentials
Snatch gains initial network access by exploiting weaknesses in the Remote Desktop Protocol (RDP). Additionally, the operators have adopted the use of stolen or purchased credentials to infiltrate target networks. This combination allows them to move freely within compromised infrastructures.
Prolonged reconnaissance and use of legitimate and malicious tools
Once inside a network, Snatch operators engage in a thorough reconnaissance phase, spending months searching for specific files and folders to target. They employ a combination of both legitimate and malicious tools to achieve their objectives, making detection and mitigation challenging.
Recent signs of renewed activity and indicator alignment
Although Snatch’s activity has shown some signs of waning, recent observations indicate a limited resurgence. The indicators of compromise identified by cybersecurity experts align with those highlighted in the FBI and CISA advisory, emphasizing the importance of remaining vigilant and implementing robust security measures.
Snatch’s primary focus is on North American organizations
In the past year, Snatch’s attacks have primarily targeted North American organizations, with a staggering 70 attacks documented between July 2022 and June 2023. This regional focus underscores the need for heightened cybersecurity preparedness and response measures within this jurisdiction.
The FBI and CISA advisory serves as a critical reminder for organizations to remain proactive in their cybersecurity efforts, especially in the face of evolving ransomware threats like Snatch. It is imperative for organizations to prioritize comprehensive security measures, including implementing strong network defenses, patching vulnerabilities, regularly backing up critical data, and training employees to recognize and mitigate phishing attacks. By fortifying their cyber defenses, organizations can mitigate the risk of falling victim to Snatch and other ransomware operations, safeguarding not only their sensitive data but also the critical infrastructure sectors that underpin economies and society at large.