US security agencies release advisory on Snatch ransomware IOCs and TTPs, issue mitigation action

The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) published on Wednesday a joint Cybersecurity Advisory (CSA) that disseminates known ransomware IOCs and TTPs associated with the Snatch ransomware variant identified through FBI investigations as recently as June 1, 2023. Critical infrastructure organizations have been urged to secure and closely monitor Remote Desktop Protocol (RDP), and maintain offline backups of data, apart from enabling and enforcing phishing-resistant multi-factor authentication (MFA).

“Since mid-2021, Snatch threat actors have consistently evolved their tactics to take advantage of current trends in the cybercriminal space and leveraged successes of other ransomware variants’ operations,” according to the advisory. “Snatch threat actors have targeted a wide range of critical infrastructure sectors including the Defense Industrial Base (DIB), Food and Agriculture, and Information Technology sectors.” 

Additionally, Snatch threat actors conduct ransomware operations involving data exfiltration and double extortion, the agencies revealed. “After data exfiltration often involving direct communications with victims demanding ransom, Snatch threat actors may threaten victims with double extortion, where the victims’ data will be posted on Snatch’s extortion blog if the ransom goes unpaid.”

The FBI-CISA advisory detailed that first appearing in 2018, Snatch operates a ransomware-as-a-service (RaaS) model and claimed their first U.S.-based victim in 2019. “Originally, the group was referred to as Team Truniger, based on the nickname of a key group member, Truniger, who previously operated as a GandCrab affiliate. Snatch threat actors use a customized ransomware variant notable for rebooting devices into Safe Model, enabling the ransomware to circumvent detection by antivirus or endpoint protection, and then encrypting files when few services are running.”

The advisory added that Snatch hackers have been observed purchasing previously stolen data from other ransomware variants in an attempt to further exploit victims into paying a ransom to avoid having their data released on Snatch’s extortion blog. 

The agencies also disclosed that Snatch hackers employ several different methods to gain access to and maintain persistence on a victim’s network. Snatch affiliates primarily rely on exploiting weaknesses in RDP for brute-forcing and gaining administrator credentials to victims’ networks. “In some instances, Snatch affiliates have sought out compromised credentials from criminal forums/marketplaces. Snatch threat actors gain persistence on a victim’s network by compromising an administrator account and establishing connections over port 443 to a command and control (C2) server located on a Russian bulletproof hosting service.”

They added that per IP traffic from event logs provided by recent victims, Snatch threat actors initiated RDP connections from a Russian bulletproof hosting service and through other virtual private network (VPN) services. 

Snatch hackers were observed using different TTPs to discover data, move laterally, and search for data to exfiltrate, the advisory revealed. “Snatch threat actors use sc[dot]exe to configure, query, stop, start, delete, and add system services using the Windows Command line. In addition to sc[dot]exe, Snatch threat actors also use tools such as Metasploit and Cobalt Strike. Prior to deploying the ransomware, Snatch threat actors were observed spending up to three months on a victim’s system. 

The FBI-CISA advisory added that within this timeframe, Snatch threat actors exploited the victim’s network moving laterally across the victim’s network with RDP for the largest possible deployment of ransomware and searching for files and folders for data exfiltration followed by file encryption. 

During the early stages of ransomware deployment, Snatch threat actors attempt to disable antivirus software and run an executable as a file named safe[dot]exe or some variation thereof, the agencies observed. “In recent victims, the ransomware executable’s name consisted of a string of hexadecimal characters which match the SHA-256 hash of the file in an effort to defeat rule-based detection.” 

Upon initiation, the advisory identified that the Snatch ransomware payload queries and modifies registry keys uses various native Windows tools to enumerate the system, finds processes, and creates benign processes to execute Windows batch ([dot]bat) files. “In some instances, the program attempts to remove all the volume shadow copies from a system. After the execution of the batch files, the executable removes the batch files from the victim’s filesystem,” it added.

The security agencies called upon organizations to reduce the threat of malicious actors using remote access tools by auditing remote access tools on the network to identify currently used and/or authorized software. They must also review logs for execution of remote access software to detect abnormal use of programs running as a portable executable, use security software to detect instances of remote access software being loaded only in memory, require authorized remote access solutions to be used only from within the network over approved remote access solution, and blocking both inbound and outbound connections on common remote access software ports and protocols at the network perimeter.

Organizations must also implement application controls to manage and control the execution of software, including allowlisting remote access programs; strictly limiting the use of RDP and other remote desktop services; disabling command-line and scripting activities and permissions; and reviewing domain controllers, servers, workstations, and active directories for new and/or unrecognized accounts. They must also audit user accounts with administrative privileges and configure access controls according to the principle of least privilege (PoLP); reduce the threat of credential compromise, and implement time-based access for accounts. 

In addition, the authoring authorities recommend network defenders apply mitigations to limit potential adversarial use of common system and network discovery techniques, and to reduce the impact and risk of compromise by ransomware or data extortion actors. They include implementing a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, and secure location. 

They must also maintain offline backups of data and regularly maintain backup and restoration; require all accounts with password logins; require phishing-resistant multi-factor authentication (MFA); segment networks to prevent the spread of ransomware; and identify, detect, and investigate abnormal activity and potential traversal of the indicated ransomware with a networking monitoring tool. 

Last October, industrial cybersecurity company Dragos reported observing Lockbit 2.0, Conti, Snatch, Moses staff, Midas leaks, Pandora, and Suncrypt in the second quarter but not in the third quarter.

The U.S. Department of Homeland Security (DHS) published last week its 2024 Homeland Threat Assessment report that outlines that domestic and foreign adversaries will likely continue to target U.S. critical infrastructure, including the transportation sector, over the next year. It added that DVEs (domestic violent extremists) increasingly called for physical attacks on critical infrastructure this year, while foreign adversaries are exploring new technologies like AI (artificial intelligence) to improve their tactics.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.