.svg)
.svg)
On September 20, 2023, The Cybersecurity and Infrastructure Security Agency (CISA) released a joint advisory on Snatch ransomware [1]. Snatch is a Ransomware-as-a-Service gang that employs data exfiltration and double extortion tactics in their ransomware operations. Since its emergence in 2018, Snatch ransomware targeted various organizations from defense, IT, agriculture, healthcare, retail, and manufacturing industries.
In this blog post, we explained the Tactics, Techniques, and Procedures (TTPs) used by Snatch ransomware and how organizations can defend themselves against Snatch ransomware attacks.
Simulate Ransomware Attacks with 14-Day Free Trial of Picus Platform
Snatch Ransomware Explained
Snatch ransomware first appeared in 2018 and was formerly referred to as Team Truniger. Snatch employs a Ransomware-as-a-Service (RaaS) business model and provides ransomware payloads to other threat actors for a fee. Snatch also uses double extortion tactics by exfiltrating their victims' sensitive data. Unless the demanded ransom is paid, Snatch threatens to release the stolen data to the public, pressuring their victims into paying the ransom.
For initial access, Snatch ransomware operators use brute-automated brute-force attacks against vulnerable remote desktop services. Adversaries are also known to acquire compromised credentials from Initial Access Brokers (IABs). As a key characteristic, Snatch ransomware forces the infected host to reboot into Safe Mode before encrypting the victim's file. This defense evasion tactic allows Snatch ransomware to infect their victims without worrying about antivirus or endpoint protection because Windows does not often run endpoint protection mechanisms in Safe Mode.
As an active ransomware group, Snatch continues to add new techniques and tools into their arsenal, and organizations should ensure that their operations are safe against Snatch ransomware attacks. CISA recommends organizations validate their security controls against the Snatch ransomware group's threat behaviors mapped to the MITRE ATT&CK framework.
Snatch Ransomware Analysis and MITRE ATT&CK TTPs
Initial Access
T1078 Valid Accounts
Snatch ransomware operators acquire compromised credentials belonging to target organizations from Initial Access Brokers (IABs) and criminal forums/marketplaces. These credentials allow adversaries to gain access and establish persistence in the targets' networks.
T1133 External Remote Services
Snatch threat actors exploit vulnerable RDP services and brute force administrator credentials. After collecting credentials, adversaries gain access to the victim's network with a privileged account. A compromised administrator account can also be utilized for persistence and lateral movement.
Execution
T1059.003 Command and Scripting Interpreter: Windows Command Shell
Adversaries use batch files to enumerate the victim's network, exfiltrate data, and deploy ransomware.
T1569.002 System Services: Service Execution
Snatch ransomware uses the Windows command-line utility Service Control (sc.exe) to execute malicious commands and scripts in the victim's environment.
Persistence
T1078.002 Valid Accounts: Domain Accounts
Compromised credentials also allow adversaries to establish persistence in the victim's network. If adversaries are able to compromise a privileged account, they may gain a stronger foothold in the infected network.
Defense Evasion
T1036 Masquerading
Snatch has a ransomware executable with SHA-256 hash matching to a legitimate file to defeat signature-based detection.
T1070.004 Indicator Removal: File Deletion
After a successful compromise, Snatch operators delete deployed batch files to block incident response efforts.
T1112 Modify Registry
Snatch ransomware modifies Windows Registry keys to establish persistence and force the compromised host to reboot into Safe Mode.
|
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SuperBackupMan:Default:Service |
T1562.001 Impair Defenses: Disable or Modify Tools
Adversaries disable Windows Defender to avoid being detected.
T1562.009 Impair Defenses: Safe Mode Boot
In Safe Mode boot, Windows does not enable many endpoint protection mechanisms such as antivirus and log gathering. Snatch ransomware operators force the infected machines to reboot in Safe Mode with networking before encrypting sensitive files.
Credential Access
T1110.001 Brute Force: Password Guessing
Snatch threat actors abuse vulnerable public-facing RDP services and use brute-force attacks to guess administrator credentials for the victim's network.
Lateral Movement
T1021.001 Remote Services: Remote Desktop Protocol
In addition to Initial Access, Snatch operators also use compromised valid accounts to move laterally in the victim's network via the Remote Desktop Protocol.
Collection
T1005 Data from Local System
Snatch threat actors search systems to find files and folders of interest prior to exfiltration.
Command and Control
T1071.001 Application Layer Protocols: Web Protocols
Adversaries download additional tools and upload the victim's file to their C2 server using port 443. Since port 443 is commonly used for HTTPS traffic, adversaries blend C2 traffic in with other web traffic.
Exfiltration
T1041 Exfiltration Over C2 Channel
Snatch threat actors use malware named Update_Collector.exe to exfiltrate data from the victim's network [2]. The stolen data is uploaded to an adversary-controlled C2 server.
Impact
T1486 Data Encrypted for Impact
Snatch ransomware encrypts its victim's data using AES encryption and appends encrypted files with the .snatch extension.
T1490 Inhibit System Recovery
Snatch operators delete all volume shadow copies of the infected host to prevent victims from recovering their files.
|
vssadmin delete shadows /all /quiet |
How Picus Helps Simulate Snatch Ransomware Attacks?
We also strongly suggest simulating Snatch ransomware attacks to test the effectiveness of your security controls against real-life cyber attacks using the Picus The Complete Security Validation Platform. You can also test your defenses against hundreds of other ransomware variants, such as CL0P, ALPHV, and Conti, within minutes with a 14-day free trial of the Picus Platform.
Picus Threat Library includes the following threats for Snatch ransomware:
|
Threat ID |
Threat Name |
Attack Module |
|
48847 |
Snatch Threat Group Campaign 2023 |
Windows Endpoint |
|
21653 |
Snatch Ransomware Download Threat |
Network Infiltration |
|
65288 |
Snatch Ransomware Email Threat |
Email Infiltration (Phishing) |
Picus also provides actionable mitigation content. Picus Mitigation Library includes prevention signatures to address Snatch ransomware and other ransomware attacks in preventive security controls. Currently, Picus Labs validated the following signatures for Snatch ransomware:
|
Security Control |
Signature ID |
Signature Name |
|
Check Point NGFW |
0CCF4E747 |
Trojan.Win32.HEUR:Trojan-Ransom.TC.6043agZs |
|
Check Point NGFW |
0C53073B0 |
TS_Ransomware.Win32.Snatch.TC.f5c5NygM |
|
Check Point NGFW |
0DE91E991 |
Trojan.Win32.Snatch.TC.6140Hcbf |
|
Check Point NGFW |
08568F6B8 |
Trojan.Win32.DelShad.ea.TC.5ab8kNtK |
|
Check Point NGFW |
0C4CE2155 |
Trojan.Win32.Trojan-Ransom.TC.2985pCwg |
|
Forcepoint NGFW |
|
File_Malware-Blocked |
|
Fortigate AV |
3018269 |
W32/Snatch.B!tr |
|
Fortigate AV |
8147266 |
W32/Filecoder.NVR!tr.ransom |
|
Fortigate AV |
4946954 |
W32/Generic.QI!tr |
|
Fortigate AV |
8049158 |
W32/DelShad.AM!tr.ransom |
|
Fortigate AV |
8143271 |
W32/Filecoder.NYH!tr |
|
McAfee |
0x4840c900 |
MALWARE: Malicious File Detected by GTI |
|
Palo Alto |
314124408 |
trojan/Win32 EXE.filecoder.aaj |
|
Palo Alto |
319404978 |
trojan/Win32 EXE.razy.aylw |
|
Palo Alto |
302292645 |
trojan/Win32 EXE.snatch.bq |
|
Palo Alto |
311480967 |
ransomware/Win32 EXE.xpaj.ezpe |
Start simulating emerging threats today and get actionable mitigation insights with a 14-day free trial of Picus The Complete Security Validation Platform.
References
[1] "#StopRansomware: Snatch Ransomware," Cybersecurity and Infrastructure Security Agency CISA. Available: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-263a.
[2] A. Brandt, "Snatch ransomware reboots PCs into Safe Mode to bypass protection," Sophos News, Dec. 09, 2019. Available: https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/.
