Critical Infrastructure Organizations Warned of Snatch Ransomware Attacks

The FBI and the cybersecurity agency CISA on Wednesday published an advisory warning critical infrastructure organizations of ongoing Snatch ransomware attacks. Active since 2018, Snatch is offered under the ransomware-as-a-service (RaaS) model, and has been targeting organizations in the United States since 2019. Since November 2021, the group has been operating a leaks site, where it threatens to publish stolen data unless a ransom is paid. Initially called Team Truniger and likely associated with GandCrab, the Snatch ransomware group has been observed purchasing data stolen by other hacking groups, to further extort victims. The Snatch group, the FBI and CISA’s advisory explains, typically exploits remote desktop protocol (RDP) vulnerabilities for initial access, but was also seen acquiring compromised credentials from cybercrime forums. The group uses compromised administrator credentials for persistent access to victims’ networks, and establishes command-and-control (C&C) communication over HTTPS. The C&C server, the two agencies say, is hosted by a Russian bulletproof hosting service.