Cybersecurity Advisory Highlights the Threat of Snatch Ransomware
Introduction
A recent cybersecurity advisory from the FBI and the US Cybersecurity and Infrastructure Security Agency (CISA) has warned organizations about the increasing threat posed by the Snatch ransomware-as-a-service (RaaS) operation. The alert highlights Snatch’s targeting of critical infrastructure sectors and its evolving tactics that take advantage of current trends in the cybercriminal space. This report will delve into the details of the advisory, the unique features of the Snatch ransomware, and the implications for organizations.
Targeting Critical Infrastructure Sectors
The advisory issued by the FBI and CISA noted that Snatch threat actors have been targeting a wide range of critical infrastructure sectors, including the IT sector, the US defense industrial base, and the food and agriculture vertical. Recent attacks in June have showcased the threat actor’s ability to adapt their tactics and leverage the successes of other ransomware variants’ operations. One notable aspect mentioned in the advisory is the purchasing of previously stolen data from other ransomware variants to further exploit victims into paying the ransom.
The Increasing Activity of Snatch Ransomware
Over the past year, the Snatch ransomware group has ramped up their efforts, claiming responsibility for high-profile attacks on organizations such as South Africa’s Department of Defense, the California city of Modesto, Canada’s Saskatchewan airport, and London-based organization Briars Group. The advisory did not provide a specific explanation for the timing of the alert, but cybersecurity experts believe it is likely connected to Snatch’s increasing activity.
The Unique Features of Snatch Ransomware
Snatch ransomware is known for a distinctive feature that sets it apart from other variants: it forces Windows systems to reboot into Safe Mode midway through the attack chain. By doing so, Snatch can encrypt files without being detected by antivirus tools, which often do not run in Safe Mode. Sophos, one of the first security vendors to track the ransomware, warned about the severity of running ransomware in Safe Mode back in 2019.
The Exploitation of Safe Mode
The joint FBI and CISA advisory highlighted the Safe Mode feature of Snatch ransomware as a significant capability that allows the malware to circumvent endpoint security controls and encrypt files when few Windows services are running. This unique tactic takes advantage of the fact that many Windows computers do not often run endpoint protection mechanisms in Safe Mode. The capability of running in Safe Mode makes Snatch a more potent threat as it can evade detection and continue encrypting files.
Data Exfiltration and Leverage Tactics
Similar to other ransomware variants, Snatch ransomware includes a component for stealing data from compromised systems before encryption. The threat actors behind Snatch have frequently used this capability to exfiltrate sensitive data from victim organizations. They then threaten to publicly leak or sell the data to others if the ransom demand is not paid. The advisory also mentioned instances where Snatch actors purchased data stolen by other ransomware groups and used it as leverage to extract money from organizations.
The Techniques and Tools Used by Snatch
Snatch ransomware operators have utilized various techniques to gain access to target networks. These include exploiting weaknesses in the Remote Desktop Protocol (RDP) to gain administrator-level access and using stolen or purchased credentials. Once inside a network, the threat actors may spend up to three months moving around, searching for files and folders. The FBI and CISA advisory described Snatch operators as using a combination of legitimate and malicious tools, including Metasploit, Cobalt Strike, and utilities like sc.exe.
Increase in North American Attacks
According to John Shier, field CTO at Sophos, there have been limited signs of renewed activity from Snatch after a period of relative quiet. The most interesting aspect is the close alignment of observed indicators of compromise (IoCs) with the ones contained in the advisory. While some IoCs are not unique to Snatch, their presence should prompt an immediate response. Nick Hyatt, cyber practice leader at Optiv, stated that Snatch ransomware has been the most active in North America, with 70 attacks tracked between July 2022 and June 2023.
Editorial: Addressing the Growing Threat of Snatch Ransomware
The Urgent Need for Strengthened Cybersecurity Measures
The recent advisory from the FBI and CISA regarding the Snatch ransomware underscores the need for organizations to prioritize cybersecurity and implement robust measures to protect their critical infrastructure. The evolving tactics and increasing activity of Snatch ransomware highlight the sophistication of modern cyber threats, necessitating a proactive and comprehensive approach to cybersecurity.
Government and Industry Cooperation
This advisory also emphasizes the importance of collaboration between government agencies and private sector organizations. The joint efforts of the FBI and CISA demonstrate the value of sharing intelligence and coordinating strategies to combat cyber threats. By working together, both government agencies and the private sector can ensure a more coordinated response to ransomware attacks and other cybersecurity incidents.
Investment in Cybersecurity Training and Technology
In light of the ongoing threat from ransomware operations like Snatch, organizations must invest in cybersecurity training for their employees and adopt advanced technologies to detect and respond to potential threats. It is crucial to educate employees about safe online practices, such as avoiding suspicious emails and websites, and regularly updating security protocols.
Regular Backup and Recovery Measures
One of the most effective defenses against ransomware attacks is maintaining regular backups of critical data. By securely storing backups offline and regularly testing restoration processes, organizations can minimize the impact of ransomware and avoid falling victim to extortion attempts. This practice enables swift recovery in the event of an attack and reduces the financial incentive for threat actors.
Improved Security Strategies for Critical Infrastructure Sectors
Given the targeting of critical infrastructure sectors by Snatch ransomware and other cyber threats, it is essential for these sectors to enhance their security strategies further. Robust access controls, network segmentation, strong authentication mechanisms, and continuous monitoring of network traffic can help mitigate the risk of successful attacks.
Conclusion
The emergence of Snatch ransomware highlights the ongoing challenges organizations face in protecting their systems and data from ever-evolving cyber threats. The joint advisory from the FBI and CISA serves as a timely reminder of the need for increased vigilance and investment in cybersecurity measures. By fostering collaboration, prioritizing training, implementing advanced technologies, and adopting comprehensive security strategies, organizations can better defend against ransomware attacks and safeguard critical infrastructure.
<< photo by Michael Geiger >>
The image is for illustrative purposes only and does not depict the actual situation.
You might want to read !
- Bishop Fox Strengthens Leadership with Strategic CISO and CTO Appointments
- Is Burnout Driving Data Breaches? A Closer Look at IT Security Professionals’ Perspectives
- Introducing Dig Security’s Enhanced DSPM Platform: Safeguarding Enterprise Data in On-Prem and File-Share Environments
- Darknet Drug Marketplace Piilopuoti Shut Down by Law Enforcement: A Blow to the Illicit Online Trade
- “North Korea’s Lazarus Group Strikes Again: Behind the $31 Million CoinEx Heist”
- Casino Cyberattacks: Revealing Vulnerabilities Amidst the Glitz
- The Importance of Choosing the Right Authentication Method for Your Business
- Unmasking “Culturestreak”: The Hidden Threat of Malware in GitLab’s Python Package
- “DHS Council Looks to Streamline Cyber Incident Reporting for Improved Efficiency”
- The Rising Threat: Physical Consequences of Cyberattacks on Urban Infrastructure
- “Proxyjacking: The Rising Threat to SSH Servers”
