Snatch Ransomware

Snatch ransomware, active since 2018, represents a persistent and evolving threat in the cybercrime landscape. Operating under the Ransomware-as-a-Service (RaaS) model, Snatch distinguishes itself through its adaptability, adoption of double-extortion tactics, and, notably, its ability to reboot compromised systems into Safe Mode to bypass security measures. This article provides a deep dive into Snatch ransomware, examining its origins, tactics, targets, attack campaigns, and defense strategies, aiding security professionals in combating this evolving threat. It also explores the controversy and confusion surrounding the "two Snatch" entities: the original ransomware group and the current data leak/extortion site.

Origins & Evolution

Snatch ransomware first appeared in 2018, originally known as Team Truniger. The name "Truniger" is believed to be the online handle of a key member previously affiliated with the GandCrab RaaS operation. The GandCrab connection is significant, as that operation shut down in 2019, with some speculating it evolved into REvil. Many of Snatch's operations have been traced to Russian origins.

The name "Snatch" itself might be a reference to the movie of the same name, and the group's logo uses the acronym "S.N.Atch" (Security Notification Attachment) on their Telegram channel.

A key point of contention and evolution is the emergence of a second entity also calling itself "Snatch" (often referred to as "Snatch Team"). This group claims no connection to the original Snatch ransomware operations. They deny using a "conventional ransomware model" and state that the malware used in their operations is indirectly sourced from various affiliates and threat actors. They even explicitly state there is no malware referred to as "Snatch" in their operations.

This denial is, however, complicated by the fact that data from confirmed victims of the original Snatch ransomware appears on their extortion blog, alongside data apparently stolen by other threat actors. This has led to confusion and debate within the security community about the true relationship between the two entities. U.S. government agencies (FBI and CISA) acknowledge the current "Snatch Team's" claims but still connect them, albeit indirectly, to the original ransomware group.

The evolution of Snatch demonstrates a trend within the ransomware landscape: a shift from pure encryption towards data exfiltration and double extortion. The potential emergence of a "Snatch Team" focusing solely on data leaks could represent a further evolution, possibly an attempt to distance themselves from the legal ramifications of deploying encryption malware, or even an attempt to rebrand after operational security failures. This highlights the importance of understanding threat intelligence.

Tactics & Techniques

Snatch employs a variety of tactics, techniques, and procedures (TTPs) throughout its attack lifecycle, which can be mapped to the MITRE ATT&CK framework. Here's a breakdown of key stages:

* Remote Desktop Protocol (RDP) Exploitation (T1133, T1021.001): A primary method is brute-forcing RDP credentials or exploiting vulnerabilities in exposed RDP services. This is a common tactic among many ransomware groups.

* Compromised Credentials (T1078): Snatch actors also acquire stolen credentials from criminal forums and initial access brokers (IABs). These credentials are often used to access VPNs and other remote access services.

* VPN services: Snatch establish RDP connections from bulletproof hosting services and through VPNs.

* Command and Scripting Interpreter (T1059): Uses Windows Command Shell (cmd.exe) and batch files (.bat) for various tasks, including network enumeration, data exfiltration, and ransomware deployment.

* System Services: Service Execution (T1569.002): Leverages sc.exe to manipulate system services, potentially to disable security tools or establish persistence.

* Valid Accounts (T1078): Compromising administrator accounts is a key persistence mechanism. This allows Snatch actors to maintain access even after system reboots.

* C2 Communication: Snatch establishes connections over port 443 to a C2 server on a Russian bulletproof hosting service.

* Masquerading (T1036): Uses ransomware executables with names that match the SHA-256 hash of the file, attempting to evade detection by security tools.

* Indicator Removal (T1070.004): Deletes deployed batch files to hinder incident response efforts.

* Modify Registry (T1112): Modifies registry keys, most notably to force the system to reboot into Safe Mode. A specific example is: HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SuperBackupMan:Default:Service. This key is associated with a persistence mechanism. Understanding keys is crucial for analysis.

* Impair Defenses (T1562): Attempts to disable antivirus software, specifically Windows Defender. Variations of a file named safe.exe are often used in this process.

* Safe Mode Boot (T1562.009): This is a defining characteristic of Snatch. The ransomware reboots the infected system into Safe Mode (often with networking enabled) to bypass endpoint protection, which is typically inactive or operates with reduced functionality in Safe Mode.

* Brute Force (T1110): Employs brute-force attacks against RDP services to guess credentials.

* Data from Local System (T1005): Searches for files and folders of interest before exfiltration.

* Time on System: Snatch have been observed to spend up to three months on a victim's system before deploying ransomware.

* Remote Services (T1021): Uses compromised credentials to move laterally within the network via RDP, maximizing the impact of the ransomware deployment.

* Application Layer Protocols (T1071.001): Uses HTTPS (port 443) for command and control communications, blending in with normal web traffic.

* Exfiltration Over C2 Channel (T1041): Exfiltrates stolen data to attacker-controlled servers, often using a dedicated malware component (e.g., Update_Collector.exe).

* Data Encrypted for Impact (T1486): Encrypts data using AES encryption. Encrypted files and folders have hexadecimal characters appended to their names. A ransom note (HOW TO RESTORE YOUR FILES.TXT) is left on the system.

* Inhibit System Recovery (T1490): Deletes volume shadow copies using the command vssadmin delete shadows /all /quiet. This prevents victims from easily restoring their files from local backups.

The "current" Snatch Team, while denying direct ransomware deployment, employs tactics centered around data exfiltration and extortion. They operate a leak site, communicating with victims through email, the Tox platform, and even spoofed phone calls. They may also purchase data stolen by other ransomware groups to increase pressure on victims. This type of activity shows the importance of security logging.

Targets or Victimology

Snatch has targeted a broad range of industries and organizations, demonstrating a diverse victimology. Key sectors include:

The "current" Snatch Team's leak site features data from a wide range of victims, further illustrating the broad targeting strategy. This includes government-related entities and companies in diverse sectors.

Attack Campaigns

Several notable attack campaigns have been attributed to Snatch, highlighting its impact and evolving tactics:

These campaigns demonstrate Snatch's willingness to target high-profile organizations and its use of data leaks as a key component of its extortion strategy. The "current" Snatch Team's response to law enforcement activity further emphasizes their ongoing operations and disregard for legal consequences. Staying up-to-date with the new kali linux releases can help in understanding the tools used by attackers.

Defenses

Combating Snatch ransomware requires a multi-layered approach, encompassing prevention, detection, and response. Key defense strategies include:

* Audit and strictly control remote access tools.

* Limit RDP usage and disable command-line/scripting activities via RDP.

* Implement strong authentication mechanisms for remote access, including multi-factor authentication (MFA).

* Review domain controllers for new or unrecognized accounts.

* Enforce the principle of least privilege.

* Implement strong password policies (long, complex passwords, no reuse, account lockouts).

* Require administrator credentials for software installation.

* Implement time-based access controls.

* Avoid storing plaintext credentials.

* Enforce strong password policies (hashing, salting, no reuse, account lockouts, disable hints).

* Require phishing-resistant MFA for all services, especially webmail, VPNs, and access to critical systems. This is a critical defense against credential-based attacks.

* Keep all systems and software up-to-date with the latest security patches.

* Prioritize patching known exploited vulnerabilities.

* Implement a robust vulnerability management program.

* Implement network segmentation to limit the lateral movement of attackers within the network. This can contain the impact of a successful breach.

* Implement network monitoring tools (EDR, SIEM) to detect abnormal activity, lateral movement, and data exfiltration.

* Configure alerts for suspicious registry modifications, especially those related to Safe Mode.

* Monitor for the creation of new user accounts, particularly privileged accounts.

* Monitor for the execution of suspicious commands (e.g., vssadmin delete shadows). SIEM tools can help with monitoring.

* Install, update, and enable real-time detection for antivirus software.

* Ensure endpoint protection solutions are configured to detect and prevent ransomware behavior.

* Maintain offline, encrypted, and immutable backups of critical data.

* Ensure backups cover the entire infrastructure and are regularly tested.

* Offline backups are crucial for recovery in the event of a successful ransomware attack.

* Implement email security gateways to filter out phishing emails and malicious attachments.

* Add email banners for external emails.

* Disable hyperlinks in received emails.

* Educate users about the risks of phishing, social engineering, and ransomware.

* Train users to identify and report suspicious emails and activity.

* Develop and test a robust incident response plan specific to ransomware attacks.

* Ensure the plan includes procedures for containment, eradication, recovery, and communication. A strong CIRP is essential.

Conclusion

Snatch ransomware, and the potentially related "Snatch Team," represent a significant and evolving threat. Their tactics, ranging from RDP exploitation and Safe Mode reboots to data exfiltration and double extortion, require a comprehensive and proactive defense strategy. The ambiguity surrounding the relationship between the original ransomware group and the current data leak site adds complexity to attribution and threat analysis. Organizations must prioritize robust security controls, including strong authentication, network segmentation, endpoint protection, and regular backups, to mitigate the risk of Snatch and similar threats. Continuous monitoring, user education, and a well-defined incident response plan are essential for minimizing the impact of a successful attack. Staying informed about the latest TTPs and IOCs associated with Snatch, as well as collaborating with law enforcement and the security community, is crucial for defending against this persistent threat. The ongoing evolution of Snatch underscores the need for continuous adaptation and vigilance in the face of the ever-changing cybercrime landscape. SOAR can help with automation.

Found this article interesting? Keep visit thesecmaster.com, and our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium, and Instagram and subscribe to receive tips like this. 

You may also like these articles: