The FBI and US Cybersecurity and Infrastructure Security Agency (CISA) have issued a joint advisory warning organisations about a ransomware-as-a-service operation called "Snatch."
Snatch? As in the movie from twenty odd years ago? I'm not sure I've heard of Snatch before...
Maybe you haven't. They don't have as high a profile as some of the other more notorious ransomware organisations out there, but if the FBI and CISA think it's worth issuing a warning about the group then maybe it makes sense to sit up and listen. And yes, judging by their logo - they appear to fans of Guy Richie's crime comedy movie released in 2000.
Okay, you've got my attention. What's the threat posed by Snatch?
The cybercriminals behind Snatch have been targeting a wide range of sectors related to critical infrastructure, including the defence industry, food and agriculture, and IT sector. Like many other ransomware groups they specialise in "double extortion."
They don't just compromise your network and encrypt your data (demanding a ransom for a decryption key). They also exfiltrate your data, threatening to publish it online or sell it to other cybercriminals if you don't give in to their extortion demands.
Which means that even if I have a backup I can restore my data from, they could still put a lot of pressure on my company to pay a ransom?
Right. Sadly, it can be a very effective technique - and it's clear that Snatch has no qualms about using it in an attempt to pressure organisations into paying up. Earlier this year, Snatch made headlines for itself by leaking what it claimed were 1.6 terabytes of highly sensitive documents exfiltrated from South Africa's Department of Defence. And just this week, the Florida Department of Veterans' Affairs found its data leaked on the Snatch website after it (presumably) refused to pay a ransom.
Nasty. How long has Snatch been operating?
Snatch first appeared in 2018, albeit originally under the name Team Truniger (Truniger, explains the FBI and CISA advisory, was the online handle of a key member who had previously worked as an affiliate of the GandCrab ransomware-as-a-service operation.) Snatch uses command-and-control servers hosted in Russia to launch attacks, and typically reboots Windows PCs into safe mode in an attempt to bypass existing anti-virus protection.
If Snatch isn't that new, why the warning?
You have to assume that the authorities are concerned that Snatch is putting more effort than ever into ramping up its attacks.
Urk. Anything else I should be aware of?
In the past, the Snatch attackers have often targeted Remote Desktop Protocol (RDP) weaknesses to gain access to victims' networks. They are also not shy of using stolen passwords to gain entrance to a targeted system. Once they have a foothold in your network, Snatch hackers can spend months at a time looking for data to target, before striking. A further interesting aspect worth noting is that the criminals behind Snatch have in the past purchased data stolen by other ransomware gangs.
Why are they doing that?
It appears that they are attempting to further exploit victims, threatening to release the data on their extortion site.
So, I need to take Snatch seriously.
I would recommend taking any ransomware group seriously - if your organisation falls victim then the consequences could be costly. In particular, Snatch's activities appear to have been focused on North American organisations. Whether that's an indication of the locations of those who might be behind the attacks, is a question I'll leave to your imagination to answer.
What should we do to protect our business from ransomware?
Our advice is that your organisation should follow safe computing practices to defend against Snatch and other ransomware attacks. Those include:
- making secure offsite backups.
- running up-to-date security solutions and ensuring that your computers are protected with the latest security patches against vulnerabilities.
- Restrict an attacker's ability to spread laterally through your organisation via network segmentation.
- using hard-to-crack unique passwords to protect sensitive data and accounts, as well as enabling multi-factor authentication.
- encrypting sensitive data wherever possible.
- reducing the attack surface by disabling functionality that your company does not need.
- educating and informing staff about the risks and methods used by cybercriminals to launch attacks and steal data.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire.