FBI and CISA Issue Advisory on Snatch Ransomware Targeting Critical Infrastructure Sectors

In a joint cybersecurity advisory, the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) have raised an alarm regarding the activities of Snatch, a notorious ransomware-as-a-service (RaaS) operation that has been wreaking havoc since at least 2018. The advisory warns that Snatch has escalated its attacks on critical infrastructure sectors, particularly focusing on the IT sector, the U.S. defense industrial base, and the food and agriculture vertical. Snatch’s evolving tactics, use of stolen data, and unique features have made it a significant threat to organizations across North America. Let’s delve into the details of this nefarious ransomware and the measures organizations can take to protect themselves.

Overview of Snatch Ransomware-as-a-Service (RaaS) Operation

Since its emergence in 2018, Snatch has become one of the most prominent ransomware-as-a-service operations in the cybercriminal landscape. With its sophisticated infrastructure and extensive network of affiliates, Snatch offers ransomware capabilities to other threat actors, enabling them to launch ransomware attacks more effectively.

Warning about Snatch Targeting Critical Infrastructure Sectors

The FBI and CISA advisory highlights the increasing threats posed by Snatch to critical infrastructure sectors. These sectors, which are the backbone of nations’ economies, are particularly attractive targets for ransomware operators seeking financial gain or potential disruption.

Evolution of Snatch’s tactics and usage of stolen data

Snatch has adapted its tactics over time, leveraging stolen data from other ransomware variants to exploit victims into paying the ransom. This not only increases the credibility of their threats but also raises concerns about the potential sale or public leak of sensitive information if the ransom demands are not met.

Snatch’s Unique Capability: Forcing Systems into Safe Mode

One of the most notable capabilities of Snatch is its ability to force Windows systems to reboot into Safe Mode. By doing so, this insidious malware can encrypt files undetected by traditional antivirus tools, as Safe Mode limits the number of running Windows services.

Safe Mode Evasion and File Encryption

Snatch’s ability to operate in Safe Mode allows it to circumvent endpoint security controls and encrypt files without detection. This stealthy approach poses a significant challenge for organizations relying solely on traditional antivirus solutions for protection.

Exfiltration of Data and Threats of Public Leak

Ransomware operators go beyond encryption and have been known to exfiltrate sensitive data from victim organizations. They threaten to publicly release or sell this data unless the ransom is paid promptly. Such extortion tactics increase the pressure on victims to comply with their demands.

Targeting weaknesses in Remote Desktop Protocol (RDP) and stolen credentials

Snatch gains initial network access by exploiting weaknesses in the Remote Desktop Protocol (RDP). Additionally, the operators have adopted the use of stolen or purchased credentials to infiltrate target networks. This combination allows them to move freely within compromised infrastructures.

Prolonged reconnaissance and use of legitimate and malicious tools

Once inside a network, Snatch operators engage in a thorough reconnaissance phase, spending months searching for specific files and folders to target. They employ a combination of both legitimate and malicious tools to achieve their objectives, making detection and mitigation challenging.

Recent signs of renewed activity and indicator alignment

Although Snatch’s activity has shown some signs of waning, recent observations indicate a limited resurgence. The indicators of compromise identified by cybersecurity experts align with those highlighted in the FBI and CISA advisory, emphasizing the importance of remaining vigilant and implementing robust security measures.

Snatch’s primary focus is on North American organizations

In the past year, Snatch’s attacks have primarily targeted North American organizations, with a staggering 70 attacks documented between July 2022 and June 2023. This regional focus underscores the need for heightened cybersecurity preparedness and response measures within this jurisdiction.

The FBI and CISA advisory serves as a critical reminder for organizations to remain proactive in their cybersecurity efforts, especially in the face of evolving ransomware threats like Snatch. It is imperative for organizations to prioritize comprehensive security measures, including implementing strong network defenses, patching vulnerabilities, regularly backing up critical data, and training employees to recognize and mitigate phishing attacks. By fortifying their cyber defenses, organizations can mitigate the risk of falling victim to Snatch and other ransomware operations, safeguarding not only their sensitive data but also the critical infrastructure sectors that underpin economies and society at large.

Explore more

Ethereum Uses AI Swarms to Proactively Patch Network Flaws

The architectural integrity of global decentralized networks has reached a pivotal juncture where the speed of malicious exploitation often outpaces the traditional cadence of human-led security audits. To address this widening gap, The Ethereum Foundation has fundamentally transitioned its security strategy from a reactive model to an automated, proactive defense paradigm that leverages the power of machine learning. This shift

How Is ERP Modernization Driving DLA to Audit Readiness?

The Defense Logistics Agency currently manages an intricate global supply chain that serves as the backbone for the United States military, requiring an unprecedented level of financial precision and operational transparency to meet modern oversight requirements. This massive undertaking involves a transition from aging, siloed legacy systems to a unified Enterprise Resource Planning environment designed to provide real-time visibility into

What Makes Odyssey Infostealer a Global Threat to macOS?

The long-standing myth that macOS remains immune to sophisticated cyberattacks has been decisively shattered by the emergence of the Odyssey infostealer, a highly specialized malware variant engineered to bypass modern system integrity protections. This transition represents a fundamental shift in the threat landscape, where the historical security-by-obscurity advantage once enjoyed by Apple users has entirely vanished. As the adoption of

Can AI Secure Windows Without Compromising Stability?

The sheer scale of modern software development has reached a point where manual code review is no longer sufficient to protect the billions of devices running Windows across the globe. As lines of code multiply and interdependencies become more complex, traditional security measures are struggling to keep pace with the rapid evolution of sophisticated digital threats. In response to this

Xero Launches JAX to Redefine Accounting with Agentic AI

Small business owners have historically spent an exhausting amount of time tethered to spreadsheets and receipts, but the emergence of agentic AI is finally turning those static records into a living, breathing financial command center that operates with minimal human oversight. With more than five million global subscribers now integrated into its ecosystem, Xero is spearheading a movement toward Accountable