Snatch Ransomware Alert
Cyber Security Threat Summary:
Snatch is a ransomware group primarily targeting Windows-based systems. They employ various tactics, including exploiting vulnerabilities, brute force attacks, and data exfiltration to compromise and extort victims. Snatch operates under a ransomware-as-a-service (RaaS) model and has targeted critical infrastructure sectors such as Defense Industrial Base (DIB), Food and Agriculture, and Information Technology. The group utilizes a customized ransomware variant known for rebooting devices into Safe Mode to evade detection. They engage in double extortion, threatening victims with data exposure if ransoms are not paid. Recent reports indicate the existence of an extortion site associated with Snatch.
Security Officer Comments:
Snatch poses a significant threat to Windows-based systems, and its adaptation to current cybercriminal trends, use of double extortion, and willingness to purchase stolen data make it a formidable adversary. Organizations must prioritize robust cybersecurity measures, including regular patching, strong authentication practices, and data backup strategies to mitigate the risk of falling victim to Snatch ransomware attacks.
Suggested Correction(s):
- Patch and Update: Keep systems and software up-to-date with the latest security patches to minimize vulnerabilities that ransomware groups like Snatch might exploit.
- Strong Authentication: Enforce strong password policies and implement multi-factor authentication (MFA) to protect against brute force attacks.
- Data Backup: Regularly back up critical data and ensure backups are isolated from the network to prevent ransomware encryption. Test data restoration procedures.
- Endpoint Protection: Use reputable antivirus and endpoint protection solutions to detect and block malicious activity.
- Email Security: Implement email filtering solutions to detect and block phishing emails, which are often used as an initial attack vector.
- Network Monitoring: Continuously monitor network traffic for suspicious activity, especially over commonly used ports like 443.
- Access Control: Limit user privileges and access rights to minimize the impact of a potential compromise.
- Incident Response Plan: Develop and practice an incident response plan to respond effectively in case of a ransomware attack.
Email Domains and Addresses:
- sezname[.]cz
- cock[.]li
- airmail[.]cc
- tutanota[.]com / tutamail[.]com / tuta[.]io
- mail[.]fr
- keemail[.]me
- protonmail[.]com / proton[.]me
- swisscows[.]email
- sn.tchnews.top@protonmail[.]me
- funny385@swisscows[.]email
- funny385@proton[.]me
- russellrspeck@seznam[.]cz
- russellrspeck@protonmail[.]com
- Mailz13MoraleS@proton[.]me
- datasto100@tutanota[.]com
- snatch.vip@protonmail[.]com
- CAB3D74D1DADE95B52928E4D9DFC003FF5ADB2E082F59377D049A91952E8BB3B419DB2FA9D3F
- 7229828E766B9058D329B2B4BC0EDDD11612CBCCFA4811532CABC76ACF703074E0D1501F8418
- 83E6E3CFEC0E4C8E7F7B6E01F6E86CF70AE8D4E75A59126A2C52FE9F568B4072CA78EF2B3C97
- 0FF26770BFAEAD95194506E6970CC1C395B04159038D785DE316F05CE6DE67324C6038727A58
C:$SysReset
Filenames (SHA-256):
Filenames (SHA-1):
safe.exe: c8a0060290715f266c89a21480fed08133ea2614
Commands:
For more information, MITRE tags / technical analysis please see the attached PDF
Link(s):
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-263a