In an ongoing effort to combat the rising tide of ransomware attacks, the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) have issued a Cybersecurity Advisory (CSA) outlining the known tactics, techniques, and procedures (TTPs) and indicators of compromise (IoCs) associated with the Snatch ransomware variant.

Since its emergence in 2018, Snatch has consistently evolved its tactics, taking advantage of current cybercriminal trends. Notably, Snatch has targeted a wide range of critical infrastructure sectors, including the Defense Industrial Base, Food and Agriculture, and Information Technology sectors. Their operations involve data exfiltration and double extortion, where they not only encrypt victim data but also threaten to release it on their extortion blog if the ransom demands are not met.

One of the key characteristics of Snatch is its use of a customized ransomware variant that can reboot devices into Safe Mode, thereby evading detection by antivirus. The group has also been observed purchasing previously stolen data from other ransomware variants to further pressure victims into paying ransoms.

Snatch threat actors gain access to victim networks primarily through Remote Desktop Protocol (RDP) exploitation and brute-forcing. They establish connections to command and control (C2) servers, often located on Russian hosting services, using port 443 and other virtual private network (VPN) services.

Before deploying ransomware, Snatch threat actors spend significant time on a victim’s system, exploiting vulnerabilities and moving laterally through the network. They use various tools like Metasploit and Cobalt Strike for this purpose. They employ various techniques to disable antivirus software and execute its ransomware payload. The ransomware appends unique hexadecimal characters to each file it encrypts and leaves behind a text file titled “HOW TO RESTORE YOUR FILES.TXT” in each folder.

The advisory contains a list of IoCs associated with Snatch, including email domains and addresses, TOX messaging IDs, file and folder names, commands, registry keys, system log changes, and created mutexes. It also includes a breakdown of the TTPs used by the threat actor and how they fall within the MITRE ATT&CK framework.

FBI and CISA recommend several mitigation steps to protect against Snatch and similar threat actors. These include:

• auditing remote access tools,
• using security software to detect remote access software in memory,
• implementing application controls, and
• strictly limiting the use of RDP.

Organizations are also advised to:

• maintain offline backups,
• enforce strong password policies,
•  segment networks to prevent ransomware spread
• install and update antivirus software, disable unused ports and protocols, and
• consider adding email banners to external emails.

In the digital world of cyberthreats, this serves as a testament to the power of shared intelligence. By illuminating the intricate tactics and effective countermeasures in this advisory, businesses are empowered to fortify their digital defenses. As the cyber landscape continues its evolution, we’re reminded of the importance of collective knowledge sharing to combat ransomware and pave the way for a more secure future.

In Summary: The FBI and CISA have issued a joint advisory shedding light on the tactics and indicators associated with the Snatch ransomware variant. Snatch, a threat actor targeting critical infrastructure sectors, employs data exfiltration and double extortion, making this advisory a valuable resource for organizations looking to bolster their cybersecurity defenses.

Why It Matters: For MSPs and their clients, this advisory is a crucial tool in understanding and defending against the evolving threat of Snatch ransomware. By following the recommended mitigations and leveraging the shared intelligence provided, MSPs can enhance their cybersecurity services, offering clients enhanced protection and peace of mind in an increasingly hostile digital landscape.

To stay up to date on all APG intel, follow them on Twitter and Reddit.