Free Trial
|
Login
Free Trial
Login
Platform
Platform
I want to
report
WHITEPAPER Picus Red Report 2025
white paper
DATASHEET Security Validation Platform
Use Cases
Use Cases
Frameworks
Group
WHITEPAPER Building a Robust Defense-in-Depth Strategy with Breach and Attack Simulation (BAS)
Paper Icons
E-BOOK An Introduction to Exposure Validation
Research
RESEARCH
LEARNING
whitepaper
Whitepaper Modernize Your SOC with Breach and Attack Simulation
report (1)
REPORT Blue Report: Effective Threat Exposure Management
Resources
RESOURCES
LEARNING
Group
WHITEPAPER Double Your Threat Blocking in 90 Days
Paper Icons
E-BOOK An Introduction to Exposure Validation
Company
COMPANY
PARTNERS
webinar
REGISTER NOW: Assessing Your Zero Trust Program with "Assume Breach" Mindset
Data sheet
DATASHEET The Pioneer of Breach & Attack Simulation
GET A DEMO
Huseyin Can YUCEEL | 0 MIN READ

LAST UPDATED ON SEPTEMBER 21, 2023

Snatch Ransomware Gang

By Huseyin Can YUCEEL & Picus Labs   August 22, 2022   Ransomware

Snatch ransomware is a stealthy malware that utilizes publicly available and built-in tools for its malicious activities. Since Windows does not often run endpoint protection mechanisms in Safe Mode, Snatch ransomware avoids detection by forcing infected hosts to reboot into Safe Mode. The Snatch ransomware group uses the double extortion method; accordingly, the payload is made of ransomware and data stealer components. Threat actors use automated brute-force attacks against vulnerable applications in the target organizations. Also, the Snatch ransomware operators also use their affiliate partners to gain initial access to corporate networks.
Metadata

Associated Groups

Affiliates - TA505

Associated Country

Russia

First Seen

December 2018

Target Countries

United Kingdom, United States
Modus Operandi

Business Models

Extortion

Initial Access Brokers (IABs)

Extortion Tactics

File Encryption

Data Leakage

Initial Access Methods

Phishing

Valid Accounts

Impact Methods

Data Encryption

Data Exfiltration
Utilized Tools and Malware by Snatch

MITRE ATT&CK Tactic

Tools

Initial Access

Metasploit Meterpreter

Execution

PsExec 

Cobalt Strike

Persistence

Reg.exe

Privilege Execution

dazzleUP 

PEASS-ng 

PowerUpSQL 

Watson 

Defence Evasion

IOBit Uninstaller

Process Hacker

Bcdedit

Discovery

arp 

Ditsnap 

Advanced Port Scanner

Lateral Movement

PsExec

Exflitration

Update_Collector.exe

Impact

vssadmin 

Snatch Ransomware (abcdex64.exe)

  • [1]     “Metasploit,” Metasploit. https://www.metasploit.com/ (accessed Jul. 06, 2022).

  • [2]     “PsExec - Windows Sysinternals.” https://docs.microsoft.com/en-us/sysinternals/downloads/psexec (accessed Jul. 06, 2022).

  • [3]       K. Arhart, “Cobalt Strike,” Cobalt Strike Research and Development, Aug. 19, 2021. https://www.cobaltstrike.com/ (accessed Jul. 06, 2022).

  • [4]     S. Özarslan, “MITRE ATT&CK T1060 Registry Run Keys / Startup Folder.” https://www.picussecurity.com/resource/blog/picus-10-critical-mitre-attck-techniques-t1060-registry-run-keys-startup-folder (accessed Jul. 06, 2022).

  • [5]     P. Hacker, “Process Hacker.” https://processhacker.sourceforge.io (accessed Jul. 06, 2022).

  • [6]     H. C. Yüceel, “MITRE ATT&CK T1490 Inhibit System Recovery - The Ransomware’s Favorite.” https://www.picussecurity.com/resource/mitre-attck-t1490-inhibit-system-recovery-the-ransomwares-favorite (accessed Jul. 06, 2022).

  • [7]     “arp(8) - Linux manual page.” [Online]. Available: https://man7.org/linux/man-pages/man8/arp.8.html. [Accessed: Jul. 07, 2022]

  • [8]     “unixfreaxjp/ditsnap repository - Issues Antenna.” [Online]. Available: https://issueantenna.com/repo/unixfreaxjp/ditsnap. [Accessed: Jul. 07, 2022]

  • [9]     “Advanced Port Scanner – free and fast port scanner.” https://www.advanced-port-scanner.com (accessed Jul. 06, 2022).

  • [10]     A. Brandt, “Snatch ransomware reboots PCs into Safe Mode to bypass protection,” Sophos News, Dec. 09, 2019. [Online]. Available: https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/. [Accessed: Jul. 07, 2022]

  • [11]     F. Fkie, “Snatch (Malware Family).” [Online]. Available: https://malpedia.caad.fkie.fraunhofer.de/details/win.snatch. [Accessed: Jul. 07, 2022]

Related Content

August 22, 2022   •   Ransomware

Conti Ransomware Group

READ MORE

August 22, 2022   •   Ransomware

BlackCat Ransomware Gang

READ MORE

August 22, 2022   •   Ransomware

Vice Society Ransomware Group

READ MORE

August 22, 2022   •   Ransomware

Hive Ransomware Group

READ MORE

Table of Contents

Retail Under Fire: Inside the DragonForce Ransomware Attacks on Industry Giants
Emerging Threat Retail Under Fire: Inside the DragonForce Ransomware Attacks on Industry Giants
Learn More
CVE-2025-31324: SAP NetWeaver Remote Code Execution Vulnerability Explained
Emerging Threat CVE-2025-31324: SAP NetWeaver Remote Code Execution Vulnerability Explained
Learn More
cve-2025-32433-erlang
Emerging Threat CVE-2025-32433: Erlang/OTP SSH Remote Code Execution Vulnerability Explained
Learn More
CVE-2025-22457: Ivanti Remote Code Execution Vulnerability Explained
Emerging Threat CVE-2025-22457: Ivanti Remote Code Execution Vulnerability Explained
Learn More
IngressNightmare: Ingress NGINX Remote Code Execution Vulnerability Explained
Emerging Threat IngressNightmare: Ingress NGINX Remote Code Execution Vulnerability Explained
Learn More
CVE-2025-29927: Next.js Middleware Bypass Vulnerability Explained
Emerging Threat CVE-2025-29927: Next.js Middleware Bypass Vulnerability Explained
Learn More
Medusa Ransomware Analysis, Simulation, and Mitigation - CISA Alert AA25-071A
Emerging Threat Medusa Ransomware Analysis, Simulation, and Mitigation - CISA Alert AA25-071A
Learn More
Ghost (Cring) Ransomware Analysis, Simulation, and Mitigation - CISA Alert AA25-050A
Emerging Threat Ghost (Cring) Ransomware Analysis, Simulation, and Mitigation - CISA Alert AA25-050A
Learn More
Microsoft Active Directory Domain Services CVE-2025-21293 Vulnerability Explained
Emerging Threat Microsoft Active Directory Domain Services CVE-2025-21293 Vulnerability Explained
Learn More