CISA #StopRansomware Advisory: Snatch Ransomware
The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) have jointly released a report highlighting the ransomware threat posed by the Snatch ransomware gang as part of the agency's #StopRansomware series. Snatch, a ransomware-as-a-service (RaaS) operation, first emerged in 2018 and has since targeted various sectors, including the Defense Industrial Base (DIB), Food and Agriculture, and Information Technology sectors. The group employs double extortion tactics, threatening to release victims' data if ransoms are not paid. Snatch uses several methods for initial access, such as exploiting Remote Desktop Protocol (RDP) vulnerabilities and obtaining compromised credentials. They exfiltrate and encrypt victim data, taking up to three months to exploit networks thoroughly. The gang employs evasion techniques to disable antivirus software and communicate with victims through email and the Tox communication platform. CISA warns since "mid-2021, Snatch threat actors have consistently evolved their tactics to take advantage of current trends in the cybercriminal space and leveraged successes of other ransomware variants’ operations.”
Insights from The Record have shed light on the recent surge of Snatch ransomware attacks, and their repercussions have been keenly felt across a spectrum of institutions. Affected entities range from law enforcement agencies, schools, and healthcare facilities to notable victims such as the Florida Department of Veterans' Affairs, law enforcement in Modesto, California, and a Wisconsin school district. Furthermore, Snatch's data breaches have extended to a diverse range of organizations, including a South African Defense department, automaker Volvo, a Canadian airport, and the Canadian Nurses Association. This concerning trend underscores the heightened threat posed by Snatch ransomware, with a notable concentration of activity in North America. Security experts like Nick Hyatt from Optiv have diligently monitored Snatch's actions from July 2022 to June 2023, revealing a strong emphasis on targeting North American entities. During this timeframe, Hyatt's team documented an unsettling total of 70 attacks.