The FBI and the Cybersecurity and Infrastructure Security Agency (CISA) have issued a warning about the Snatch ransomware gang, whose recent victims include the city of Modesto, Tampa General Hospital and the Canadian Nurses Association.
Joint agency meeting on September 20 cybersecurity notice coincided with the gang’s release of an as-yet-unconfirmed claim that the Florida Department of Veterans Affairs was among its latest victims.
The FBI and CISA said Snatch, which was first observed in 2018, targeted a wide range of victim organizations, including many from the food, agriculture, IT and defense.
“Since mid-2021, Snatch threat actors have consistently evolved their tactics to take advantage of current trends in the cybercriminal space and capitalize on the successful operations of other ransomware variants,” the agencies said.
The group operated a ransomware-as-a-service model and its willingness to adopt new techniques included adopting the practice of double extortion: exfiltrating data from victims’ systems, encrypting it, and threatening to publish the data stolen if a ransom was obtained. is not paid.
Shortly after the cybersecurity advisory was published, Emsisoft threat analyst Brett Callow posted on X, formerly Twitter: a screenshot of Snatch’s extortion blog where the gang alleged that the Florida Department of Veterans Affairs was one of its latest victims. The ministry has not yet responded publicly to this claim.
When Safe Mode Is Not So Safe
Since its inception, Snatch has been known for its use of custom ransomware that restarts victim devices in Windows Safe Mode. This allows it to bypass antivirus and endpoint protection solutions, and encrypt files on targeted machines while few services are running.
The FBI and CISA said Snatch affiliates typically relied on exploiting weaknesses in the Remote Desktop Protocol (RDP) and using brute force techniques to gain administrative access to victims’ networks. In some cases, however, affiliates had purchased compromised credentials from Dark Web forums and marketplaces.
Event logs provided by recent Snatch victims show that the gang initiated RDP connections to target organizations from a bulletproof Russian hosting service and through other virtual private network services.
The gang establishes persistence on victims’ networks by using administrator accounts to establish connections through port 443 to a command-and-control server located on a bulletproof Russian hosting service.
Snatch threat actors can spend up to three months on victims’ systems before deploying ransomware, using the time in between to search for files and folders to exfiltrate and ensure the widest possible deployment of their malware .
In their advisory, the agencies said Snatch was observed purchasing stolen data from other ransomware gangs in an effort to pressure the organizations into paying a ransom to prevent the data is not disclosed on his extortion blog.
Last month, a spokesperson for the blog told DataBreaches.net he was not connected to the ransomware group and “none of our targets were attacked by Ransomware Snatch.” But the FBI and CISA refuted the claim, which they said was made “despite confirmed data of several Snatch victims appearing on the blog alongside victims associated with other ransomware groups, including Nokoyawa and Conti.”
Advisory highlights security challenges
Centripetal security engineer Colin Little said the details about Snatch’s operation outlined in the agencies’ advisory summarized many of the breach prevention challenges security teams currently faced.
“The organization of cybercrime around the world today reaches unprecedented levels, with uninterrupted access to communications as well as a thriving economy in which stolen information is a commodity,” he said.
Threat actors had access to a range of “proven” tools covering the entire kill chain, as well as the ability to “live off the land” by weaponizing operational and administrative features such as RDP and Windows Safe Mode.
More importantly, Little said, Snatch’s use of a bulletproof Russian hosting service and other VPN services showed that malicious groups had “the ability to reach the Internet and penetrate the surface of the network.” “attack via remote access tools from fairly obvious high-risk sources.”