InfrastructureIntelligenceNational DefenseNational SecurityOSINTTerrorism

Critical Infrastructure Organizations Warned of Ransomware Attacks

The FBI and the cybersecurity agency CISA on Wednesday published an advisory warning critical infrastructure organizations of ongoing Snatch ransomware attacks.

Active since 2018, Snatch is offered under the ransomware-as-a-service (RaaS) model, and has been targeting organizations in the United States since 2019. Since November 2021, the group has been operating a leaks site, where it threatens to publish stolen data unless a ransom is paid.

Initially called Team Truniger and likely associated with GandCrab, the Snatch ransomware group has been observed purchasing data stolen by other hacking groups, to further extort victims.

The Snatch group, the FBI and CISA’s advisory explains, typically exploits remote desktop protocol (RDP) vulnerabilities for initial access, but was also seen acquiring compromised credentials from cybercrime forums.

The group uses compromised administrator credentials for persistent access to victims’ networks, and establishes command-and-control (C&C) communication over HTTPS. The C&C server, the two agencies say, is hosted by a Russian bulletproof hosting service.

Prior to ransomware deployment, the Snatch threat actors spend up to three months on victims’ networks, searching for valuable data to exfiltrate and identifying systems they can encrypt. They also attempt to disable security software.

Once executed, the Snatch ransomware modifies registry keys, enumerates the system, searches for specific processes, and creates benign processes to execute various batch files. In some cases, it also attempts to delete volume shadow copies.

From The Shadows Emerges Knowledge