Snatch Ransomware Explained - CISA Alert AA23-263A

The Red Report 2023

The Top 10 MITRE ATT&CK Techniques Used by Adversaries

DOWNLOAD

On September 20, 2023, The Cybersecurity and Infrastructure Security Agency (CISA) released a joint advisory on Snatch ransomware [1]. Snatch is a Ransomware-as-a-Service gang that employs data exfiltration and double extortion tactics in their ransomware operations. Since its emergence in 2018, Snatch ransomware targeted various organizations from defense, IT, agriculture, healthcare, retail, and manufacturing industries. 

In this blog post, we explained the Tactics, Techniques, and Procedures (TTPs) used by Snatch ransomware and how organizations can defend themselves against Snatch ransomware attacks.

Simulate Ransomware Attacks with 14-Day Free Trial of Picus Platform

Snatch Ransomware Explained

Snatch ransomware first appeared in 2018 and was formerly referred to as Team Truniger. Snatch employs a Ransomware-as-a-Service (RaaS) business model and provides ransomware payloads to other threat actors for a fee. Snatch also uses double extortion tactics by exfiltrating their victims' sensitive data. Unless the demanded ransom is paid, Snatch threatens to release the stolen data to the public, pressuring their victims into paying the ransom. 

For initial access, Snatch ransomware operators use brute-automated brute-force attacks against vulnerable remote desktop services. Adversaries are also known to acquire compromised credentials from Initial Access Brokers (IABs). As a key characteristic, Snatch ransomware forces the infected host to reboot into Safe Mode before encrypting the victim's file. This defense evasion tactic allows Snatch ransomware to infect their victims without worrying about antivirus or endpoint protection because Windows does not often run endpoint protection mechanisms in Safe Mode.

As an active ransomware group, Snatch continues to add new techniques and tools into their arsenal, and organizations should ensure that their operations are safe against Snatch ransomware attacks. CISA recommends organizations validate their security controls against the Snatch ransomware group's threat behaviors mapped to the MITRE ATT&CK framework. 

Snatch Ransomware Analysis and MITRE ATT&CK TTPs

Initial Access

T1078 Valid Accounts

Snatch ransomware operators acquire compromised credentials belonging to target organizations from Initial Access Brokers (IABs) and criminal forums/marketplaces. These credentials allow adversaries to gain access and establish persistence in the targets' networks.

T1133 External Remote Services

Snatch threat actors exploit vulnerable RDP services and brute force administrator credentials. After collecting credentials, adversaries gain access to the victim's network with a privileged account. A compromised administrator account can also be utilized for persistence and lateral movement.

Execution

T1059.003 Command and Scripting Interpreter: Windows Command Shell

Adversaries use batch files to enumerate the victim's network, exfiltrate data, and deploy ransomware.

T1569.002 System Services: Service Execution

Snatch ransomware uses the Windows command-line utility Service Control (sc.exe) to execute malicious commands and scripts in the victim's environment.

Persistence

T1078.002 Valid Accounts: Domain Accounts

Compromised credentials also allow adversaries to establish persistence in the victim's network. If adversaries are able to compromise a privileged account, they may gain a stronger foothold in the infected network.

Defense Evasion

T1036 Masquerading

Snatch has a ransomware executable with SHA-256 hash matching to a legitimate file to defeat signature-based detection.

T1070.004 Indicator Removal: File Deletion

After a successful compromise, Snatch operators delete deployed batch files to block incident response efforts. 

T1112 Modify Registry

Snatch ransomware modifies Windows Registry keys to establish persistence and force the compromised host to reboot into Safe Mode. 

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SuperBackupMan:Default:Service


T1562.001 Impair Defenses: Disable or Modify Tools

Adversaries disable Windows Defender to avoid being detected.

T1562.009 Impair Defenses: Safe Mode Boot

In Safe Mode boot, Windows does not enable many endpoint protection mechanisms such as antivirus and log gathering. Snatch ransomware operators force the infected machines to reboot in Safe Mode with networking before encrypting sensitive files.

Credential Access

T1110.001 Brute Force: Password Guessing

Snatch threat actors abuse vulnerable public-facing RDP services and use brute-force attacks to guess administrator credentials for the victim's network.

Lateral Movement

T1021.001 Remote Services: Remote Desktop Protocol

In addition to Initial Access, Snatch operators also use compromised valid accounts to move laterally in the victim's network via the Remote Desktop Protocol.

Collection

T1005 Data from Local System

Snatch threat actors search systems to find files and folders of interest prior to exfiltration.

Command and Control

T1071.001 Application Layer Protocols: Web Protocols

Adversaries download additional tools and upload the victim's file to their C2 server using port 443. Since port 443 is commonly used for HTTPS traffic, adversaries blend C2 traffic in with other web traffic.

Exfiltration

T1041 Exfiltration Over C2 Channel

Snatch threat actors use malware named Update_Collector.exe to exfiltrate data from the victim's network [2]. The stolen data is uploaded to an adversary-controlled C2 server.

Impact

T1486 Data Encrypted for Impact

Snatch ransomware encrypts its victim's data using AES encryption and appends encrypted files with the .snatch extension. 

T1490 Inhibit System Recovery

Snatch operators delete all volume shadow copies of the infected host to prevent victims from recovering their files. 

vssadmin delete shadows /all /quiet

How Picus Helps Simulate Snatch Ransomware Attacks?

We also strongly suggest simulating Snatch ransomware attacks to test the effectiveness of your security controls against real-life cyber attacks using the Picus The Complete Security Validation Platform. You can also test your defenses against hundreds of other ransomware variants, such as CL0P, ALPHV, and Conti, within minutes with a 14-day free trial of the Picus Platform.

Picus Threat Library includes the following threats for Snatch ransomware

Threat ID

Threat Name

Attack Module

48847

Snatch Threat Group Campaign 2023

Windows Endpoint

21653

Snatch Ransomware Download Threat

Network Infiltration

65288

Snatch Ransomware Email Threat

Email Infiltration (Phishing)

Picus also provides actionable mitigation content. Picus Mitigation Library includes prevention signatures to address Snatch ransomware and other ransomware attacks in preventive security controls. Currently, Picus Labs validated the following signatures for Snatch ransomware:

Security Control

Signature ID

Signature Name

Check Point NGFW

0CCF4E747

Trojan.Win32.HEUR:Trojan-Ransom.TC.6043agZs

Check Point NGFW

0C53073B0

TS_Ransomware.Win32.Snatch.TC.f5c5NygM

Check Point NGFW

0DE91E991

Trojan.Win32.Snatch.TC.6140Hcbf

Check Point NGFW

08568F6B8

Trojan.Win32.DelShad.ea.TC.5ab8kNtK

Check Point NGFW

0C4CE2155

Trojan.Win32.Trojan-Ransom.TC.2985pCwg

Forcepoint NGFW

 

File_Malware-Blocked 

Fortigate AV

3018269

W32/Snatch.B!tr

Fortigate AV

8147266

W32/Filecoder.NVR!tr.ransom

Fortigate AV

4946954

W32/Generic.QI!tr

Fortigate AV

8049158

W32/DelShad.AM!tr.ransom

Fortigate AV

8143271

W32/Filecoder.NYH!tr

McAfee

0x4840c900 

MALWARE: Malicious File Detected by GTI

Palo Alto

314124408

trojan/Win32 EXE.filecoder.aaj

Palo Alto

319404978

trojan/Win32 EXE.razy.aylw

Palo Alto

302292645

trojan/Win32 EXE.snatch.bq

Palo Alto

311480967

ransomware/Win32 EXE.xpaj.ezpe

Start simulating emerging threats today and get actionable mitigation insights with a  14-day free trialof Picus The Complete Security Validation Platform.

References

[1] "#StopRansomware: Snatch Ransomware," Cybersecurity and Infrastructure Security Agency CISA. Available: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-263a.

[2] A. Brandt, "Snatch ransomware reboots PCs into Safe Mode to bypass protection," Sophos News, Dec. 09, 2019. Available: https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/.