FBI and CISA Issue Joint Advisory on Snatch Ransomware Operation

Highlights:

• The initial documented victim of a Snatch ransomware attack in the United States was the ASP.NET hosting provider, SmarterASP.NET, in 2019.
• Recent targets of Snatch ransomware attacks, displayed on their adjacent dark website, comprise notable entities like the Florida Department of Veteran’s Affairs, Zilli, CEFCO Inc., the South African Department of Defense, and the Briars Group Ltd.

Recently, the U.S. Federal Bureau of Investigation and the Cybersecurity and Infrastructure Security Agency issued a collaborative cybersecurity advisory, cautioning about the Snatch ransomware operation.

Snatch ransomware initially emerged in 2018 and functions based on a ransomware-as-a-service model. In this cybercriminal business model, ransomware operators create and offer ransomware to affiliates who pay for it in ransomware attacks. The initial documented victim of a Snatch ransomware attack in the United States was the ASP.NET hosting provider, SmarterASP.NET, in 2019.

The joint advisory has been published to distribute recognized indicators of compromise related to Snatch ransomware and its tactics, techniques, and procedures. These insights have been gleaned from FBI investigations, with data as recent as June 1, 2023.

Snatch threat players are said to be constantly changing their methods to take advantage of current trends in cybercrime and have used the successes of other ransomware operations. Affiliates of Snatch have focused on important areas like defense, food, agriculture, and IT in their targeting scope.

Like many ransomware attackers in recent years, Snatch uses a double extortion technique. It encrypts and steals data, then demands a ransom for a promise that the stolen data won’t be made public on Snatch’s dark web website.

Recent targets of Snatch ransomware attacks include notable entities like the Florida Department of Veteran’s Affairs, CEFCO Inc., Zilli, the South African Department of Defense, and the Briars Group Ltd.

Michael Mumcuoglu, CEO and co-founder of posture management firm CardinalOps Ltd., informed about heightened activity from the Snatch ransomware group over the past 12 to 18 months, taking credit for numerous notable attacks.

“A unique tactic used by the Snatch ransomware group leverages’ stealthy malware’ that takes advantage of the fact that many Windows computers do not often run endpoint protection mechanisms in Safe Mode,” explained Mumcuoglu. “Snatch ransomware avoids detection by forcing infected hosts to reboot into Safe Mode.”

Nick Hyatt, a Cyber Practice Leader at Optiv Security Inc., a cyber-advisory and solutions provider, believed that CISA’s release of this advisory on the Snatch ransomware group is a proactive step to enhance community engagement.

“While we have not observed any change in Snatch’s tactics, techniques and procedures recently, per our research they are most active in North America, with a particular focus on the industrial vertical,” added Hyatt. “Between July 2022 and June 2023, we tracked 70 attacks by Snatch across all verticals. Overwhelmingly, those attacks were focused on North America.”