Joint Advisory Issued on Snatch Ransomware by US Agencies

In a united front against the escalating threat of Snatch ransomware, the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) have issued a critical joint advisory, warning organizations across various sectors including IT, defense, food, and agriculture.

The advisory comes in light of Snatch's unique modus operandi, where it employs a customized ransomware that forces Windows systems to reboot into Safe Mode. This enables the group to bypass antivirus and endpoint protection solutions.

Michael Mumcuoglu, CEO and co-founder of CardinalOps, a network security company, spoke to SiliconANGLE and pointed out that there has been increased activity by the Snatch ransomware group over the last 12 to 18 months.

The group is notorious for their double extortion tactics, where they threaten to publish stolen data on their public blog if the ransom goes unpaid. According to The Register, the recent victims of Snatch include high-profile entities such as the City of Modesto and allegedly, the Florida Department of Veterans’ Affairs, which was listed on Snatch's dark-web site as one of its latest victims.

Active since 2018, Dark Reading reported that the Snatch ransomware group has evolved its tactics over time, leveraging the successes of other ransomware variants and consistently adapting to current trends in the cybercriminal space.

The joint advisory, based on FBI investigations between September 2022 and June 2023, provides detailed indicators of compromise and highlights the various methods Snatch affiliates use to infiltrate victims' networks. A primary method involves exploiting weaknesses in the Remote Desktop Protocol (RDP) to gain administrator credentials to victim’s networks. In some cases, the Snatch group has also purchased compromised credentials from online criminal marketplaces.

Once access is gained, Snatch affiliates utilize a combination of legitimate and malicious tools to maintain persistence and move laterally across networks, sometimes spending up to three months on victims' networks before deploying ransomware. To mitigate the risk of Snatch ransomware attacks, the advisory recommends organizations to closely monitor the use of remote access tools, disable command-line scripting, and more.

The issuance of this advisory underscores the sophisticated and evolving nature of cyber threats, emphasizing the need for heightened cybersecurity awareness and proactive defensive measures across all sectors.This comes amidst other significant ransomware threats, such as the LockBit ransomware, which has recently extorted US organizations for $91 million.