The US Cybersecurity and Infrastructure Agency (CISA) and the Federal Bureau of Investigation (FBI) have warned organizations with a security advisory about the Snatch ransomware operation.
The advisory is part of the duo’s #StopRansomware campaign, in which the two describe the tactics, techniques and procedures (TTP) and indicators of compromise (IOC) of currently active and disruptive ransomware operations, in the hope of helping organizations a little better protection against the threats.
Although Snatch first appeared sometime in 2018, the data provided by the two organizations is relatively new, with some survey data dating back to early June of this year. According to the advisory, Snatch is a ransomware-as-a-service model, where various threat actor groups rent out the encryptor and infrastructure to run ransomware campaigns.
Evolution in tactics
While the Snatch threat actors continued to “consistently” develop their threat tactics, the advisory said, they stayed in line with what the majority were doing: they exfiltrated and encrypted sensitive data, then demanded payment in exchange for the decryption key, and in exchange for not leaks the data on the dark web.
“The FBI and CISA encourage organizations to implement the report’s recommendations Mitigations section of this CSA to reduce the likelihood and impact of ransomware incidents,” they said.
In December 2019, the Snatch ransomware was discovered to restart infected computers in safe mode to bypass security solutions. This version was discovered by security researchers from the Sophos Managed Threat Response team and SophosLabs, who said that no security tools work in Safe Mode, allowing Snatch to continue encrypting the files.
A report on SiliconANGLE said that more recent victims of Snatch include the Florida Department of Veteran’s Affairs, Zilli, CEFCO Inc., the South African Department of Defense and the Briars Group Ltd. are.
Michael Mumcuoglu, co-founder and CEO of posture management company CardinalOps Ltd., told the same publication that Snatch’s operators had been more active over the past year and a half.
Through Infosecurity magazine