Feds Issue Snatch Ransomware Warning Following Attack on Hospital
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have issued a joint security advisory about Snatch ransomware. The Snatch ransomware group has recently conducted an attack on a hospital in Maine and has claimed responsibility for an attack on the Florida Department of Veterans Affairs. The group poses a significant threat to the healthcare and public health (HPH) sector.
Snatch ransomware is not a new ransomware variant, having first been detected in 2018, but CISA and the FBI say the group has recently been observed using new tactics, techniques, and procedures (TTPs) in its attacks. The timing of the alert may also have been prompted by an uptick in attacks over the past few months. Snatch ransomware was used in the May 2023 attack on Mount Desert Island Hospital and the group recently leaked more than 260GB of data that was stolen in the attack, and the group has targeted several critical infrastructure sectors.
Snatch ransomware is offered under the ransomware-as-a-service (RaaS) model, where affiliates are recruited to conduct attacks in exchange for a percentage of any ransom payments they generate. The affiliates often change their tactics and adopt new TTPs as cybercriminal trends change and in response to the successes of other RaaS groups, and the ransomware has been under active development since at least mid-2021. The group engages in double extortion tactics, where files are exfiltrated before encryption and threats are issued to release the stolen data on the group’s data leak site if ransoms are not paid. According to CISA and the FBI, Snatch actors have been observed purchasing data stolen by other ransomware groups and have issued threats to release the data on their own data leak site if a ransom is not paid.
The main methods used for initial access are brute force attacks on Remote Desktop Protocol (RDP) endpoints and stolen credentials that have been purchased from other threat actors via dark web marketplaces. Persistence is achieved by gaining access to administrator accounts and establishing connections over port 443 to their command-and-control server, which is hosted on a bulletproof Russian hosting service. Affiliates have been observed using legitimate red team tools such as the Metasploit framework and Cobalt Strike for data discovery and lateral movement.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The dwell time is typically longer than other ransomware groups, with Snatch actors having been observed spending up to 3 months inside networks before deploying the ransomware. The group has been observed evading antivirus products by using a customized ransomware variant that reboots devices in Safe Mode, and encrypts files when few services are running.
CISA and the FBI have shared technical details of the attacks, Indicators of Compromise (IoCs), and recommended mitigations in the security alert to help network defenders improve their defenses and detect attacks in progress.
