Snatch, a data extortion group also previously named Truniger after the group’s founder, has been named as a ransomware operation to watch by the U.S. Cybersecurity and Infrastructure Security Administration (CISA) and by the Federal Bureau of Investigation (FBI). The group works with many partners and affiliates, with their primary goal being financial gain via data leaks.
Over the last couple of years, Snatch has demonstrated a consistent ability to evolve its tactics, taking advantage of emerging trends within the cybercriminal landscape and drawing lessons from the successes of various ransomware strains.
During this period, the threat group has focused its attention on several critical infrastructure sectors, including Information Technology, Food and Agriculture, and the Defense Industrial Base sector. Let’s take a look at Snatch’s tactics and techniques, as well as recommendations on how organizations can protect themselves from this kind of threat actor.
Snatch, emerging in 2018, operates under a ransomware-as-a-service (RaaS) model, but focuses on data extortion more than they focus on ransomware. The group uses a sophisticated approach to extorting victims by combining data theft with encryption. At times, Snatch encrypts files but the group also exfiltrates sensitive data, increasing the pressure on victims to pay a ransom. The group behind Snatch, known as "Snatch Team," leverages various tools and techniques to achieve its objectives, demonstrating a high level of technical sophistication.
According to intel provided by RedSense, Snatch is a long-standing threat group that has been under surveillance by RedSense analysts since 2019, operating under the moniker "truniger." This alias includes Russian-speaking actors primarily engaged as access brokers on the underground forum called “exploit[.]in.” Following its notable April 2019 attack on the German IT services firm CityComp, the group has consistently evolved over the past four years.
Image 1: Truniger's Original Exploit Profile
Source: RedSense
One of the distinguishing features of Snatch is its use of Safe Mode to bypass traditional endpoint protection mechanisms. By forcing infected Windows machines to reboot into Safe Mode, Snatch bypasses security software that typically remains inactive in this mode. This tactic highlights the adaptability and ingenuity of the threat actors behind Snatch, who continuously innovate to evade detection and maximize the impact of their attacks.
In addition to its technical capabilities, Snatch is known for its aggressive tactics, including victim shaming through the publication of stolen data on both clearnet and dark web platforms. This tactic aims to pressure organizations into paying the ransom by threatening to expose sensitive information to the public. The combination of data theft, encryption, and public shaming makes Snatch a threat that organizations must actively defend against.
In the summer of 2019, Snatch carried out a series of significant attacks, initially identified by analysts at RedSense. These attacks included the sale of 36 devices from a Canadian KIA dealership for $3000 USD, as well as unauthorized access to 170 devices within an Italian network of healthcare clinics, along with 13 GB of associated data.
Snatch facilitated the compromise of these victims' data and initial access privileges through the Exploit forum. According to information shared by users on Exploit, the leaked data, offered for free, contained copies of insurance checks, bank transfer details, and personally identifiable information (PII) of numerous Italian citizens.
RedSense researchers began to observe early patterns in the group's target verticals, notably Entertainment, Government, and Insurance sectors. The group's victims were spread across various countries, including Italy, Canada, Israel, Japan, Poland, France, China, and Australia.
On June 8, 2019, the group advertised Remote Desktop Protocol (RDP) access on the forum, targeting the Municipal Government of an unnamed Italian city.
In December 2019, Snatch was reported to be using a new ransomware variant which reboots the devices it infects into Windows Safe Mode to disable AntiVirus (AV) solutions. This variant also immediately encrypts files once the system loads. Although this is sometimes still erroneously reported in news reports as Snatch’s primary attack methodology, encryption-based malware is no longer being used by the group.
In the summer of 2020, despite a relative lack of communication from the group, more incidents involving Snatch ransomware attacks surfaced. Snatch reverted to using RDP brute-forcing as their initial method of attack. They then swiftly progressed from this initial breach to deploying a Meterpreter reverse shell and RDP proxy on a Domain Controller, allowing them to encrypt all victim systems in less than five hours.
Throughout 2021, Snatch remained largely inactive, with only sporadic incidents involving the group being documented. However, in November 2021, the group garnered attention when they were mentioned in an FBI advisory alongside other threat groups targeting Native American tribal entities since 2016, including REvil, Bitpaymer, Ryuk/Conti, and Cuba.
Towards the end of 2021, on December 21st, Snatch reappeared in the spotlight after claiming responsibility for an attack on the automotive company Volvo, resulting in the theft of research and development data. Throughout 2022, Snatch was linked to several new ransomware variants. Despite being primarily focused on extortion, the frequency of their attacks remained limited.
Snatch emerged from a period of dormancy starting January 15, 2023. During this period until April, they only targeted one additional victim, the French aerospace company Hemeria, on February 17, 2023. Their activity was sporadic, leading to near loss of access to their Telegram channel multiple times due to prolonged periods of inactivity.
On April 6, 2023, Snatch appears to collaborate with the alleged Chinese APT group Nokoyawa, according to RedSense's investigation. This suspicion arises from private chats referencing a partnership and overlapping victims featured on both groups' public blogs. Notably, Snatch targets critical infrastructure entities (Information Technology, Food and Agriculture, and the Defense Industrial Base sectors), a departure from its usual strategy.
Despite a brief hiatus in May 2023, Snatch returned aggressively, targeting new victims, and retroactively documenting past attacks. The group's approach now includes publicly exposing victim information to pressure for ransom payments.
Snatch uses a variety of tactics and techniques to infiltrate and compromise target networks. The initial attack vector often involves brute-force attacks against vulnerable services such as RDP allowing the threat actors to gain unauthorized access to network resources. Once inside the network, Snatch utilizes privilege escalation techniques to obtain administrative credentials and move laterally across the environment.
To maximize the impact of their attacks, Snatch conducts extensive reconnaissance to identify high-value targets and critical data repositories within the victim's network. This reconnaissance phase may involve the exfiltration of sensitive information to assess its value and potential for extortion. By understanding the network topology and security posture of the victim organization, Snatch can tailor its attack strategy for maximum effectiveness.
In addition to data theft, Snatch will sometimes use encryption to render critical files and systems inaccessible to the victim. The ransomware payload is designed to encrypt files using strong cryptographic algorithms, making it virtually impossible to recover data without the decryption key. To further complicate recovery efforts, Snatch may also delete Volume Shadow Copies and other backup mechanisms, preventing victims from restoring their files from backup.
Throughout the attack lifecycle, Snatch threat actors maintain persistence on compromised systems to ensure continued access and control. This may involve the installation of backdoors or remote access tools, allowing the threat actors to re-establish a foothold in the event of detection or remediation efforts by the victim organization. By maintaining persistence, Snatch can prolong its presence within the victim's network and continue its extortion activities over an extended period.
To evade detection and hinder forensic analysis, Snatch ransomware uses various evasion and obfuscation techniques. This includes the use of legitimate system administration tools and techniques, such as PowerShell and Windows Management Instrumentation (WMI), to blend in with normal network traffic and avoid detection by security solutions. Additionally, Snatch may employ anti-analysis measures to thwart reverse engineering attempts and hinder the development of effective countermeasures by security researchers and vendors.
Snatch runs a victim shaming website on both the clearnet and the dark web, publicly disclosing stolen data and ransom demands to pressure victims into paying. They also engage victims through email and Tox for ransom negotiations and extortion.
Operating on the Tor network allows Snatch to hide their activities from law enforcement, as their dark web site conceals their identities and locations. In addition to the dark web, Snatch uses encrypted platforms like Telegram for secure communication, aiding in evading detection during ransom negotiations and extortion attempts.
At the end of 2023, the Kraft Heinz Company investigated claims made by the Snatch regarding the theft of internal data, although the company stated that its systems were functioning normally. Snatch allegedly breached Kraft Heinz's IT infrastructure in August 2023 but did not specify the data obtained.
While the extent of the cyberattack remained unconfirmed, the gang employed double-extortion tactics, encrypting systems and threatening to leak or sell the stolen data unless a ransom was paid. During this time, the FBI issued warnings about Snatch's tactics. Recent victims included the Florida Department of Veterans Affairs and Modesto, California.
As of now, Snatch does not explicitly identify itself as a ransomware group, despite using a blend of ransomware tactics and data exfiltration. It's possible that the group is setting the stage for a ransomware-as-a-service collective to be an umbrella for all their extortion activities. Therefore, attributing a particular malware or ransomware to the group, or classifying it as a ransomware group, remains challenging.`
To effectively safeguard data from Snatch and mitigate the risk of a threat actor leveraging remote access tools, organizations need to prioritize cybersecurity best practices:
Best Practices to follow:
It’s important to get ahead of the curve by being proactive with protecting your organization, instead of waiting to put out a massive fire. Avertium can provide the following services to help keep your organization safe from Snatch Ransomware:
SHA256
Domain
RedSense Intelligence Operations (2023). Snatch/Snatch Team: Threat Actor Profile [pdf document]. Retrieved from Yelisey Bohuslavskiy, February 21, 2024, Snatch Ransomware
joint-cybersecurity-advisory-stopransomware-snatch-ransomware_0.pdf (cisa.gov)
‘Snatch’ Ransom Group Exposes Visitor IP Addresses – Krebs on Security
A Closer Look at the Snatch Data Ransom Group – Krebs on Security
Kraft Heinz downplays Snatch ransomware crew's claims • The Register
Snatch ransomware reboots PCs into Safe Mode to bypass protection – Sophos News
Snatch ransomware - what you need to know | Tripwire
Dark Web Profile: Snatch Ransomware - SOCRadar® Cyber Intelligence Inc.
Snatch gang ‘consistently evolved’ in targeting multiple industries, feds say (therecord.media)
Critical Infrastructure Organizations Warned of Snatch Ransomware Attacks - SecurityWeek
US Government in Snatch Ransomware Warning - Infosecurity Magazine (infosecurity-magazine.com)
Snatch Ransomware Group Targeting Numerous Industries (speartip.com)
Snatch Ransomware Explained - CISA Alert AA23-263A (picussecurity.com)
Snatch Ransomware Reboots PCs into Safe Mode - AlienVault - Open Threat Exchange
FBI, CISA Issue Joint Warning on 'Snatch' Ransomware-as-a-Service (darkreading.com)
This document and its contents do not constitute, and are not a substitute for, legal advice. The outcome of a Security Risk Assessment should be utilized to ensure that diligent measures are taken to lower the risk of potential weaknesses be exploited to compromise data.
Although the Services and this report may provide data that Client can use in its compliance efforts, Client (not Avertium) is ultimately responsible for assessing and meeting Client's own compliance responsibilities. This report does not constitute a guarantee or assurance of Client's compliance with any law, regulation or standard.