US Agency Advisory Sheds Light on the Group’s Activities
According to a new alert issued by U.S. authorities, the Snatch ransomware group is targeting a wide range of critical infrastructure sectors, including the defense industrial base, food and agriculture, and information technology.
The group first appeared in 2018 and operates on a ransomware-as-a-service model, conducting operations involving data exfiltration and double extortion.
A joint advisory from the Cybersecurity and Infrastructure Security Agency and the FBI on Wednesday said that the group was earlier referred to as Team Truniger, based on the nickname of a key group member, Truniger, who operated as a GandCrab affiliate (see: Alleged GandCrab Distributor Arrested in Belarus).
Snatch threat actors employ different methods to gain access to and maintain persistence on a victim’s network. Their affiliates primarily exploit weaknesses in Remote Desktop Protocol for brute-forcing and gaining administrator credentials to victims’ networks.
In some instances, Snatch affiliates have sought out compromised credentials from criminal forums or marketplaces and gained persistence on a victim’s network by compromising an administrator account and establishing connections over HTTPS to a command-and-control server on a Russian bulletproof hosting service.
The group also used previously stolen data bought from other ransomware actors to harass victims into paying extortion by threatening to release the data on its leak site.
Snatch uses different tactics, techniques, and procedures to discover data, move laterally, and search for data to exfiltrate. It uses the Windows registry utility sc.exe
to add operating system services and tools such as Metasploit and Cobalt Strike.
Before deploying ransomware, Snatch threat actors can hide on a victim system for up to three months.
During the deployment of the ransomware, the threat actors attempt to disable antivirus software and run an executable as a file named safe.exe
. The executable’s name consists of a string of hexadecimal characters to defeat a rule-based detection.
“Upon initiation, the Snatch ransomware payload queries and modifies registry keys uses various native Windows tools to enumerate the system, finds processes, and creates benign processes to execute Windows batch files. Sometimes, the program attempts to remove all the volume shadow copies from a system. After the execution of the batch files, the executable removes the batch files from the victim’s filesystem,” federal researchers said.
The threat actors communicate with their victims through email and the Tox communication platform based on identifiers left in ransom notes or through their extortion blogs.