Enter Snatch: A ransomware-as-a-service (RaaS) operation

This threat actor has been attacking various critical infrastructure sectors, including IT, the US defense industrial base, and even the food and agriculture vertical. Recent attacks, as of June, have raised alarms. Snatch is known for adapting its tactics and leveraging other ransomware variants’ successes, even purchasing stolen data to pressure victims into paying ransoms.

One standout feature of Snatch is its ability to force Windows systems into Safe Mode during attacks, ensuring files are encrypted without detection by antivirus tools. It’s a technique that bypasses endpoint security controls, a trick they’ve been using since late 2019.

Like other ransomware groups, Snatch encrypts data and exfiltrates sensitive information, often threatening to leak or sell it if ransoms aren’t paid. They’re also known to purchase data from other ransomware gangs, escalating the pressure on victims.

Snatch’s typical entry points include weaknesses in Remote Desktop Protocol (RDP) and stolen or bought credentials. Once inside a network, they can spend months navigating it, employing a mix of legitimate and malicious tools. Notable mentions include Metasploit and Cobalt Strike.

John Shier of Sophos notes a resurgence in Snatch activity aligned with indicators of compromise (IoCs) mentioned in the advisory. However, not all IoCs are unique to Snatch, making a swift response to any observed IoC critical.

Nick Hyatt of Optiv points out that Snatch’s primary focus is currently North America, with a spike in attacks observed between July 2022 and June 2023, totaling 70 across various verticals.

Snatch is currently the most active group in North America.