Rise of Snatch Ransomware Puts Critical Infrastructure at Risk

Ransomware Attacks Targeting Critical Infrastructure Organizations Warned by FBI and CISA

Overview

The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) have issued an advisory warning critical infrastructure organizations about ongoing Snatch ransomware attacks. Snatch, which has been active since 2018, operates under the ransomware-as-a-service (RaaS) model and has been specifically targeting organizations in the United States since 2019. The group has been observed purchasing stolen data from other hacking groups to further extort victims. These attacks pose a significant threat to critical infrastructure as they involve not only encrypting systems but also exfiltrating sensitive data.

Tactics and Techniques

The Snatch ransomware group primarily exploits vulnerabilities in remote desktop protocol (RDP) for initial access. However, they have also been seen obtaining compromised credentials from cybercrime forums. The group then uses these compromised credentials, specifically those of administrators, to maintain persistent access to victims’ networks. Snatch establishes command-and-control (C&C) communication over HTTPS, with the C&C server being hosted by a Russian bulletproof hosting service.

Prior to deploying the ransomware, the Snatch threat actors spend up to three months on victims’ networks, searching for valuable data to exfiltrate and identifying systems to encrypt. They also attempt to disable security software. Once executed, the Snatch ransomware modifies registry keys, enumerates the system, searches for specific processes, and creates benign processes to execute various batch files. In some cases, the ransomware also attempts to delete volume shadow copies. To further evade detection, the malware may reboot systems in Safe Mode to encrypt files while only a few services are running.

Ransom and Data Exfiltration

Since November 2021, the Snatch group has been operating a leaks site where they threaten to publish stolen data unless a ransom is paid. In some cases, victims have reported receiving spoofed calls from an unknown individual claiming affiliation with Snatch and directing them to the group’s extortion site. Even when a different ransomware family is deployed, victims may still be extorted by the Snatch group, leading to the stolen data being posted on ransomware leaks sites.

Recommended Mitigations

The FBI and CISA have provided a list of indicators of compromise (IoCs) and MITRE ATT&CK tactics and techniques associated with Snatch. They have also outlined several recommended mitigations that organizations can implement to improve their cybersecurity posture:

1. Regularly patch and update software and operating systems to address known vulnerabilities.

2. Implement multi-factor authentication (MFA) and strong password policies to prevent unauthorized access.

3. Restrict access to remote desktop protocol (RDP) and ensure that it is only used when necessary.

4. Conduct regular security awareness training to educate employees about the risks of phishing and social engineering attacks.

5. Monitor and analyze network traffic for any unusual or suspicious activity.

6. Back up critical data and ensure that backups are regularly tested to ensure their integrity.

Editorial and Philosophical Discussion

The recent warning from the FBI and CISA about ongoing Snatch ransomware attacks targeting critical infrastructure organizations highlights the increasing sophistication and impact of these cyber threats. The fact that ransomware groups like Snatch are not only encrypting systems but also exfiltrating sensitive data highlights a concerning trend in the cybercrime landscape. The threat of data exposure and the potential for significant financial and reputational damage pose immense challenges for organizations, particularly those in critical infrastructure sectors.

This situation raises important ethical and philosophical questions about the responsibility of governments in ensuring the security and resilience of critical infrastructure. The growing threat of ransomware attacks requires a comprehensive approach that involves collaboration between government agencies, private sector organizations, and international partners. Additionally, organizations must invest in robust cybersecurity measures, including patch management, user awareness training, and robust incident response plans.

Advice

In light of the FBI and CISA advisory, it is crucial for critical infrastructure organizations to take immediate action to protect their networks and mitigate the risk of Snatch ransomware attacks. Implementing the recommended mitigations provided by the FBI and CISA, such as regularly patching and updating software, implementing MFA, and conducting security awareness training, can significantly enhance an organization’s cybersecurity posture. It is also important to regularly review and update incident response plans to ensure a timely and effective response in the event of an attack.

Organizations should also consider partnering with experienced cybersecurity firms and conducting regular vulnerability assessments and penetration testing to identify and address any weaknesses in their systems. The prevention and detection of ransomware attacks require a multi-layered approach that combines proactive cybersecurity measures, robust incident response capabilities, and continuous monitoring of network activity.

As the threat landscape continues to evolve, organizations must remain vigilant and adaptive, ensuring that their cybersecurity strategies align with emerging threats. By doing so, critical infrastructure organizations can better protect themselves, their employees, and their stakeholders from the devastating impact of ransomware attacks.