Rewterz Threat Alert – Alert: FBI and CISA Warn of Increasing Snatch Ransomware Attacks – Active IOCs

Severity

High

Analysis Summary

FBI and the US Cybersecurity and Infrastructure Security Agency (CISA) have published a joint advisory about an emerging “Snatch” ransomware-as-a-service (RaaS) campaign that has been active since 2018. The threat actor has been targeting a big range of critical infrastructure sectors, like IT, the food and agriculture sector, and the US defense industrial base. Their most recent attacks happened in June.

“Since mid-2021, Snatch threat actors have consistently evolved their tactics to take advantage of current trends in the cybercriminal space and leveraged successes of other ransomware variants’ operations,” warns the advisory. “Snatch threat actors have been observed purchasing previously stolen data from other ransomware variants in an attempt to further exploit victims into paying a ransom to avoid having their data released on Snatch’s extortion blog.”

The threat actor has been around for almost five years, but recently their activity has increased significantly within the last 12-18 months. They have even claimed to be responsible for various high-profile attacks.

One notable feature of Snatch is that it is capable of forcing Windows to reboot in Safe Mode in the middle of an attack chain. This way, it is able to encrypt files while evading detection by antivirus tools, since these don’t often run in Safe Mode. This feature is believed to have been added somewhere near the end of 2019.

Snatch has a data encryption feature, similar to many other ransomware variants. It is also capable of stealing data from compromised systems before encryption as its double extortion method, so that the threat actor can later threaten to leak or sell data publicly in case the ransom isn’t paid. Snatch threat actors have also occasionally bought stolen data from other ransomware groups and used it to demand money from organizations.

Most of their attacks target vulnerabilities in the Remote Desktop Protocol (RDP) to gain administrator privileges for compromising the network. They have also been observed using stolen or purchased credentials in order to gain initial access on the system.

After the threat actor gets onto the network, they establish persistence and spend about three months expanding laterally to search for files and folders. The researchers note that the Snatch operators vary between using legitimate and malicious tools, including Metasploit open-source penetration testing tool and Cobalt Strike.

Snatch is currently the most active in North America, with over 70 attacks observed between 2022 and 2023. It is recommended for organizations to follow security practices to avoid any consequences of falling victim to these ransomware groups.

Impact

• Financial Loss
• Information Theft

Indicators of Compromise

MD5

• 2202e846ba05d7f0bb20adbc5249c359
• 55310bb774fff38cca265dbc70ad6705
• 3d29e9cdd2a9d76e57e8a3f9e6ed3643
• c95c81ca4e6b8153b458d29186e696bc
• 3a24a7b7c1ba74a5afa50f88ba81d550
• f9bf364f42f6e4d4bdc2cae74d6ca4cc
• 6d9d31414ee2c175255b092440377a88
• 3e36d3dc132e3a076539acc9fcd5535c
• 3d33a19bb489dd5857b515882b43de12
• 54fe4d49d7b4471104c897f187e07f91
• 304f8f54fb79bb470f3ccddd2befc5da
• 891708936393b69c212b97604a982fed
• 395dad45c4761490c6480308a8359c06

SHA-256

• 0965cb8ee38adedd9ba06bdad9220a35890c2df0e4c78d0559cd6da653bf740f
• 1fbdb97893d09d59575c3ef95df3c929fe6b6ddf1b273283e4efadf94cdc802d
• 5950b4e27554585123d7fca44e83169375c6001201e3bf26e57d079437e70bcd
• 28e82f28d0b9eb6a53d22983e21a9505ada925ebb61382fabebd76b8c4acff7c
• a201f7f81277e28c0bdd680427b979aee70e42e8a98c67f11e7c83d02f8fe7ae
• 510e9fa38a08d446189c34fe6125295f410b36f00aceb65e7b4508e9d7c4e1d1
• 2155a029a024a2ffa4eff9108ac15c7db527ca1c8f89ccfd94cc3a70b77cfc57
• 251427c578eaa814f07037fbe6e388b3bc86ed3800d7887c9d24e7b94176e30d
• 3295f5029f9c9549a584fa13bc6c25520b4ff9a4b2feb1d9e935cc9e4e0f0924
• 6c9d8c577dddf9cc480f330617e263a6ee4461651b4dec1f7215bda77df911e7
• 84e1476c6b21531de62bbac67e52ab2ac14aa7a30f504ecf33e6b62aa33d1fe5
• a80c7fe1f88cf24ad4c55910a9f2189f1eedad25d7d0fd53dbfe6bdd68912a84
• b998a8c15cc19c8c31c89b30f692a40b14d7a6c09233eb976c07f19a84eccb40

SHA-1

• 0965cb8ee38adedd9ba06bdad9220a35890c2df0e4c78d0559cd6da653bf740f
• 1fbdb97893d09d59575c3ef95df3c929fe6b6ddf1b273283e4efadf94cdc802d
• 5950b4e27554585123d7fca44e83169375c6001201e3bf26e57d079437e70bcd
• 28e82f28d0b9eb6a53d22983e21a9505ada925ebb61382fabebd76b8c4acff7c
• a201f7f81277e28c0bdd680427b979aee70e42e8a98c67f11e7c83d02f8fe7ae
• 510e9fa38a08d446189c34fe6125295f410b36f00aceb65e7b4508e9d7c4e1d1
• 2155a029a024a2ffa4eff9108ac15c7db527ca1c8f89ccfd94cc3a70b77cfc57
• 251427c578eaa814f07037fbe6e388b3bc86ed3800d7887c9d24e7b94176e30d
• 3295f5029f9c9549a584fa13bc6c25520b4ff9a4b2feb1d9e935cc9e4e0f0924
• 6c9d8c577dddf9cc480f330617e263a6ee4461651b4dec1f7215bda77df911e7
• 84e1476c6b21531de62bbac67e52ab2ac14aa7a30f504ecf33e6b62aa33d1fe5
• a80c7fe1f88cf24ad4c55910a9f2189f1eedad25d7d0fd53dbfe6bdd68912a84
• b998a8c15cc19c8c31c89b30f692a40b14d7a6c09233eb976c07f19a84eccb40

URL

• sezname.cz
• airmail.cc
• tuta.io
• keemail.me

Remediation

• Block all threat indicators at your respective controls.
• Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls
• Emails from unknown senders should always be treated with caution.
• Never trust or open links and attachments received from unknown sources/senders.
• Patch and upgrade any platforms and software timely and make it into a standard security policy. Prioritize patching known exploited vulnerabilities and zero-days.
• Enable antivirus and anti-malware software and update signature definitions in a timely manner. Using multi-layered protection is necessary to secure vulnerable assets.
• Conduct regular audits of remote access tools, review execution logs for anomalies, and use security software to detect memory-loaded remote access tools.
• Allow authorized remote access solutions only from within your network via approved methods like virtual private networks (VPNs) or virtual desktop interfaces (VDIs).
• Block common remote access software ports and protocols at the network perimeter to prevent unauthorized connections.
• Implement application controls, including allowlisting for remote access programs, to prevent unauthorized installations and executions.
• Strictly limit Remote Desktop Protocol (RDP) usage, audit network for RDP systems, close unused RDP ports, enforce account lockouts, and apply phishing-resistant MFA.
• Log RDP login attempts and disable unnecessary command-line and scripting activities and permissions.
• Regularly review network components and user accounts for new or unrecognized accounts.
• Apply the principle of least privilege (PoLP) to configure access controls for user accounts with administrative privileges.
• Place domain admin accounts in the protected users’ group, avoid storing plaintext credentials in scripts, and implement time-based access for elevated accounts.
• Develop and implement a recovery plan that maintains multiple copies of sensitive data and servers in a physically separate and secure location, including offline backups, to minimize business disruption.
• Enforce NIST’s password policy standards, using longer passwords (8 to 64 characters), hashed storage, unique salts for shared credentials, and discourage password reuse.
• Implement account lockouts for multiple failed login attempts, disable password hints, and avoid overly frequent password changes (not more than once a year).
• Keep operating systems, software, and firmware up to date, prioritizing timely patching of known exploited vulnerabilities in internet-facing systems.
• Segment networks to limit the spread of ransomware and control traffic flows between subnetworks, reducing the risk of lateral movement by adversaries.
• Employ network monitoring tools to detect abnormal activity and potential ransomware traversal. Endpoint detection and response (EDR) tools are valuable for identifying lateral connections.
• Disable unused ports and protocols to reduce potential attack vectors.
• Consider adding email banners to external emails, disable hyperlinks in received emails, and ensure all backup data is encrypted and immutable to safeguard the organization’s data infrastructure.