Snatch ransomware’s victims span various critical infrastructure sectors, including the Defense Industrial Base, Food and Agriculture, and Information Technology sectors.
In an ongoing effort to combat the rising threat of ransomware attacks, the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) have released a joint Cybersecurity Advisory (CSA) shedding light on the evolving tactics of the Snatch ransomware variant.
This advisory, published as part of the #StopRansomware initiative, aims to equip network defenders with crucial information to protect against this challenging cyber threat.
A Persistent Threat
The Snatch ransomware variant, which first emerged in 2018, has proven to be a resilient adversary. Operating under a ransomware-as-a-service (RaaS) model, Snatch has consistently adapted its tactics to capitalize on the latest trends in cybercrime. Recent FBI investigations have revealed that Snatch has been particularly active, with the most recent activity reported as of June 1, 2023.
One of the hallmark features of Snatch ransomware is its ability to evade detection by rebooting infected devices into Safe Mode, a technique that allows it to operate undetected by antivirus or endpoint protection software.
This characteristic, combined with its penchant for data exfiltration and double extortion, makes Snatch a potent threat. After exfiltrating data from victims, Snatch threat actors often resort to double extortion, threatening to publish the stolen data on their extortion blog if the ransom is not paid.
A Wide Range of Targets
Snatch ransomware’s victims span various critical infrastructure sectors, including the Defense Industrial Base, Food and Agriculture, and Information Technology sectors. Their modus operandi involves a meticulous approach, spending up to three months on a victim’s system before deploying the ransomware. During this time, they exploit vulnerabilities, move laterally across networks, and search for valuable data to exfiltrate.
Unique Tactics
Snatch’s use of unique tactics sets it apart from other ransomware variants. The ransomware executable is known to append a series of hexadecimal characters to each file and folder name it encrypts, resulting in a unique identifier for each infection.
Additionally, the threat actors communicate with victims through email and the Tox communication platform, based on identifiers left in ransom notes or through their extortion blog.
Commenting on this, Colin Little, Security Engineer at Centripetal, told Hackread.com: This CISA advisory is a noteworthy example of several primary challenges in breach prevention.” Colin also pointed out vital steps that businesses and unsuspecting users can take against the growing threat of Snatch ransomware:
- “The organization of cyber crime in the world today is at unprecedented levels, with uninterrupted access to communications as well as a flourishing economy in which stolen information is a commodity.
- Several “tried and true” tools upon which threat actors can rely to ensure a complete kill chain, such as Cobalt Strike.
- The ability to “live off the land” by weaponizing operational and administrative features such as RDP and Windows Safe Mode.
- Most importantly, the ability to reach across the internet and penetrate the attack surface via remote access tools from fairly obvious high-risk sources, such as a “from a Russian bulletproof hosting service and through other virtual private network (VPN) services.”
“Attack surface protection can provide not only cover and concealment from these types of attacks, but visibility into what the attack surface looks like as well,” Colin emphasized.
Mitigations and Recommendations
In their advisory, the FBI and CISA have outlined several crucial mitigations and recommendations for organizations to reduce the likelihood and impact of ransomware incidents, based on Snatch’s activity:
- Audit and Control Remote Access: Organizations are advised to audit and control remote access tools, monitor their usage, and require authorized remote access to be used only through approved channels like VPNs.
- Implement Application Controls: Application controls should be put in place to manage and control software execution, including allowing remote access programs to prevent unauthorized installations.
- Strengthen Credential Security: Protect credentials by implementing strong password policies, enforcing multi-factor authentication, and avoiding the storage of plaintext credentials in scripts.
- Regularly Update and Patch: Keep all systems, software, and firmware up-to-date, prioritizing the patching of known exploited vulnerabilities.
- Network Segmentation: Employ network segmentation to limit the spread of ransomware and restrict adversary lateral movement.
- Data Backup and Encryption: Maintain offline backups of data, ensure data backups are encrypted, immutable, and cover the entire organization’s data infrastructure.
- Security Testing and Validation: Continuously test and validate security controls against known threat behaviours, aligning them with MITRE ATT&CK techniques.
Report Incidents
Lastly, the FBI and CISA strongly discourage paying ransoms, as it does not guarantee the recovery of files and may encourage further criminal activity. Instead, they urge organizations to promptly report ransomware incidents to the appropriate authorities, such as the FBI’s Internet Crime Complaint Center (IC3) or CISA.
Joint advisories like this one serve as crucial tools for organizations to stay informed and proactively defend against ransomware attacks like Snatch. By implementing the recommended mitigations and sharing threat information, organizations can enhance their cybersecurity posture and contribute to the collective effort to #StopRansomware.