In a security advisory, the Cybersecurity and Infrastructure Agency (CISA) of the US Department of Homeland Security and the Federal Bureau of Investigation (FBI) have warned organizations about an attack by ransomware called Snatch.
A statement from the duo is part of their #StopRansomware campaign, in which they describe the tactics, techniques, and procedures (TTPs) that are currently active and disruptive ransomware operations, along with the indicators of compromise (IOC), in an effort to make sure that organizations are protected as much as possible against these threats by putting in place some protective measures.
A new advisory has been issued by the pair as part of their #StopRansomware campaign, in which they present the tactics, techniques, and procedures (TTP) of currently active and disruptive ransomware operations as well as the indicators of compromise (IOC).
By sharing their information, the two hope to improve the protection of organizations against these threats.
The fact that Snatch first appeared sometime in 2018, is not the only thing that makes the data that the two companies provide relatively new, as some of these investigations date back to early June of this year.
This ransomware-as-a-service model is described in the advisory as a method of renting out the encryptor and the infrastructure to deliver ransomware campaigns to different groups of threat actors.
Researchers have discovered that Royal ransomware is a group of highly experienced threat actors who used to work for the notorious Conti cybercrime gang, which was the target of their previous attack.
They began using their own custom-made file encryption program after September 2022 and their activity increased after that. After gaining access to a computer, the attackers disable anti-virus software, exfiltrate a large volume of data, and encrypt the data with a request for a large amount of data once they have gained access to the computer.
Furthermore, there is also a group that asks for payment of $100,000 to tens of millions of dollars as ransom after attacks have taken place. As part of its callback phishing attacks, Royal ransomware also uses social engineering tactics to enter the victim's corporate network, where it pretends to be a software provider or a food delivery service.
Furthermore, it makes the victim download remote access software by posing as an actual software provider or food delivery service. Aside from that, additional pressure is exerted on the victims using their compromised Twitter accounts to reveal details of the attack to journalists and news outlets.
Techniques Have Evolved
A Snatch threat actor, who evolved his threat tactics "consistently," keeps in line with what the majority of hackers do – he exfiltrated sensitive data and encrypted it, then demanded payment for the decryption key in exchange for keeping the data safe, resulting in the data being uncovered on the dark web without revealing it to anyone else.
A ransomware virus causing infected computers to restart in safe mode when infected was discovered in December 2019, allowing it to bypass security solution installations. A Sophos Managed Threat Response team and SophosLabs team of security researchers discovered this version of Snatch and said they were unable to stop the encryption of files since no security tools are capable of working in Safe Mode, thus allowing Snatch to continue encrypting files.
As stated in a report on SiliconANGLE, several more recent victims of Snatch have been several authorities in the State of Florida, including the Florida Department of Veterans Affairs as well as Zilli and CEFCO Inc. and the South African Department of Defense and Briars Group Ltd.
There have been an increasing number of activities by Snatch's operators over the past year and a half, according to Michael Mumcuoglu, co-founder and CEO of posture management company CardinalOps Ltd.
