Feds Warn About Snatch Ransomware

The Snatch ransomware group is targeting a wide range of critical infrastructure sectors, including the defense industrial base, food and agriculture, and information technology sectors, according to a new alert issued by U.S. authorities.

See Also: OnDemand | SaaS: The Gaping Hole in Your Disaster Recovery Plan

The group first appeared in 2018 and operates on a ransomware-as-a-service model, conducting operations involving data exfiltration and double extortion.

A joint advisory from the Cybersecurity and Infrastructure Security Agency and the FBI on Wednesday said that the group was earlier referred to as Team Truniger, based on the nickname of a key group member, Truniger, who operated as a GandCrab affiliate (see: Alleged GandCrab Distributor Arrested in Belarus).

Snatch threat actors employ different methods to gain access to and maintain persistence on a victim’s network. Their affiliates primarily rely on exploiting weaknesses in Remote Desktop Protocol for brute-forcing and gaining administrator credentials to victims’ networks.

In some instances, Snatch affiliates have sought out compromised credentials from criminal forums or marketplaces and gained persistence on a victim’s network by compromising an administrator account and establishing connections over HTTPS to a command-and-control server located on a Russian bulletproof hosting service.

The group also used previously stolen data bought from other ransomware actors to harass victims into paying extortion by threatening to release the data on its leak site.

Snatch uses different tactics, techniques and procedures to…