HQ/EMEAFind out how we can help your business
A cyber threat known as Snatch ransomware has been causing concerns worldwide. This malicious software, which first emerged in 2018, operates using a model called Ransomware-as-a-Service (RaaS) and has been causing danger for people and organisations alike.
Snatch made its way to the United States in 2019 and targeted its first victim organisation within the country.
Based on investigations, Snatch ransomware can reboot infected devices into Safe Mode. This tactic helps it avoid being detected by antivirus and endpoint protection systems, taking advantage of this moment to lock up files when fewer computer services are running, making it challenging to spot.
Snatch ransomware goes beyond simple encryption.
The criminals behind the ransomware strain have been caught buying stolen data from other ransomware attacks. They use this stolen information as leverage, pressuring victims to pay the ransom to prevent their data from being exposed on Snatch’s extortion website.
Since November 2021, a website operating under the name ‘Snatch’ has become a hub for data stolen from victim companies. However, individuals associated with the blog website denied any links to Snatch ransomware in August 2023 despite evidence suggesting otherwise.
These cybercriminals infiltrate and hide within a victim’s computer network by often exploiting weaknesses in Remote Desktop Protocol (RDP), using brute-force attacks to gain administrator credentials. Sometimes, they also get hold of compromised credentials from shady online forums.
Once inside a network, these criminals set up connections using a specific port number, 443, to a command and control (C2) server. Recent investigations have shown that they started these connections from a Russian bulletproof hosting service and various virtual private network (VPN) services.
Before unleashing their ransomware, they spend up to three months on a victim’s system. During this time, they explore the victim’s network, moving around with RDP and searching for valuable files and folders to steal.
To carry out their attacks, they use various tools, like sc.exe, Metasploit, and Cobalt Strike. These tools help them manipulate system services and find valuable data to steal before locking files away.
In avoiding detection, Snatch ransomware actors employ multiple tactics. They try to turn off antivirus software during the initial stages of their attack. They also make their ransomware’s name complicated by using a string of random characters, like letters and numbers, that match a special code, making it harder to detect.
After they start their ransomware, it modifies certain computer settings, uses standard Windows tools to explore the system, and creates harmless processes to run certain commands. It even tries to delete backup copies of a victim’s files.
When it comes to communicating with victims, Snatch uses emails and a platform called Tox. They leave clues in ransom notes or on their extortion blog. Previous victims have reported receiving calls from a person claiming to be linked to Snatch and directing them to their extortion website.
Snatch ransomware is a serious threat in the world of cybersecurity. Both organisations and individuals are advised to stay alert, use strong security measures, and regularly update their computer systems to stay protected from the perils brought about by this ransomware strain.
