The FBI and Cybersecurity and Infrastructure Security Agency (CISA) issued a warning about ransomware gang Snatch, whose recent victims include the City of Modesto, Tampa General Hospital, and the Canadian Nurses Association.
The agencies’ joint Sept. 20 cybersecurity advisory coincided with the gang posting an as yet unconfirmed claim that the Florida Department of Veterans’ Affairs was among its latest victims.
The FBI and CISA said Snatch, which was first observed in 2018, has targeted a wide range of victim organizations, including many from the food, agriculture, IT, and defense sectors.
“Since mid-2021, Snatch threat actors have consistently evolved their tactics to take advantage of current trends in the cybercriminal space and leveraged successes of other ransomware variants’ operations,” the agencies said.
The group operated a ransomware-as-a-service model, and its willingness to adopt new techniques included embracing the practice of double extortion: exfiltrating data from victims’ systems as well as encrypting it, and threatening to publish the stolen data if a ransom is not paid.
A short time after the cybersecurity advisory was published, Emsisoft threat analyst Brett Callow posted on X, formerly Twitter, a screenshot from Snatch’s extortion blog where the gang alleged the Florida Department of Veterans’ Affairs was one of its latest victims. The department has not yet responded publicly to the claim.
When Safe Mode is not so safe
Since its early days, Snatch has been known for its use of customized ransomware which reboots victim devices into Windows Safe Mode. This allows it to circumvent antivirus and endpoint protection solutions, and encrypt files on targeted machines while few services are running.
The FBI and CISA said Snatch affiliates generally relied on exploiting Remote Desktop Protocol (RDP) weaknesses and using brute-force techniques to gain administrator access to victims’ networks. In some cases, however, affiliates had bought compromised credentials from dark web forums and marketplaces.
Event logs provided by recent Snatch victims show the gang initiated RDP connections to target organizations from a Russian bulletproof hosting service and through other virtual private network services.
The gang establishes persistence on victim networks using administrator accounts to make connections over port 443 to a command-and-control server located on a Russian bulletproof hosting service.
Snatch threat actors can spend up to three months on victims’ systems before deploying ransomware, using the intervening time to search for files and folders to exfiltrate and ensuring the widest possible deployment of its malware.
In their advisory, the agencies said Snatch had been observed buying stolen data from other ransomware gangs in a bid to pressure organizations into paying a ransom to avoid the data being released on its extortion blog.
Last month a spokesperson for the blog told DataBreaches.net it was not connected to the ransomware group and “none of our targets has been attacked by Ransomware Snatch”. But the FBI and CISA refuted that claim which they said was made “despite multiple confirmed Snatch victims’ data appearing on the blog alongside victims associated with other ransomware groups, notably Nokoyawa and Conti.”
Advisory highlights security challenges
Centripetal security engineer Colin Little said the details about Snatch’s operation set out in the agencies’ advisory encapsulated several of the breach prevention challenges security teams were currently facing.
“The organization of cybercrime in the world today is at unprecedented levels, with uninterrupted access to communications as well as a flourishing economy in which stolen information is a commodity,” he said.
Threat actors had access to a range of “tried and true” tools covering the complete kill chain, plus the ability to “live off the land” by weaponizing operational and administrative features such as RDP and Windows Safe Mode.
Most importantly, Little said, Snatch’s use of a Russian bulletproof hosting service and other VPN services showed threat groups had “the ability to reach across the internet and penetrate the attack surface via remote access tools from fairly obvious high-risk sources.”