The U.S. Cybersecurity and Infrastructure Agency (CISA) and the Federal Bureau of Investigation (FBI) have issued a security advisory warning organizations about the Snatch ransomware operation.
The advisory is part of the pairs #StopRansomware campaign, in which the two detail the tactics, techniques, and procedures (TTP), as well as indicators of compromise (IOC), of currently active and disruptive ransomware operations, in hopes of helping organizations protect against the threats a little better.
Even though Snatch first appeared sometime in 2018, the data the two organizations provide is relatively new, with some investigation data dating in early June this year. As per the advisory, Snatch is a ransomware-as-a-service model, by which different threat actor groups rent out the encryptor, and the infrastructure, in order to run ransomware campaigns.
Evolution in tactics
While Snatch threat actors kept “consistently” evolving their threat tactics, the advisory reads, they kept in line with what the majority did - they exfiltrated and encrypted sensitive data, then demanded payment in exchange for the decryption key, and in exchange for not leaking the data on the dark web.
“FBI and CISA encourage organizations to implement the recommendations in the Mitigations section of this CSA to reduce the likelihood and impact of ransomware incidents,” the two said.
Back in December 2019, Snatch ransomware was found rebooting infected computers into Safe Mode, to bypass security solutions. This version was discovered by security researchers from the Sophos Managed Threat Response team and SophosLabs, which said that no security tools work in Safe Mode, allowing Snatch to encrypt the files unabated.
In a report on SiliconANGLE, it was said that more recent Snatch victims include the Florida Department of Veteran’s Affairs, Zilli, CEFCO Inc., the South African Department of Defense and the Briars Group Ltd.
Michael Mumcuoglu, co-founder and chief executive of posture management company CardinalOps Ltd., told the same publication that Snatch’s operators were more active over the past year and a half.
More from TechRadar Pro
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.