Snatch Ransomware Attack Detection

Ransomware continues to be one of the most serious threats to corporate networks, and Snatch ransomware is one of the most annoying “guests” that emerged relatively recently. The first infections were recorded about two years ago, but serious attacks on organizations began only in April 2019, and since then, the appetites and skills of the attackers have been growing, fueled by news of the compromise of large companies and seven-figure ransom payments.

The attackers behind Snatch ransomware are Russian-speaking and they conduct free training for Russian-speaking affiliates focusing on attack speed, and it takes only a few hours from the moment an organization is compromised to encrypting files. However, some affiliates are more professional and steal data before encrypting systems in order to have additional leverage on the attacked company.

Cybercriminals usually carry out a brute force attack on an RDP exposed host, after a successful compromise, they attack the backup server, Domain Controller and also install ransomware on all systems they can access. After that infected systems reboot in Safe Mode and the ransomware deletes Volume Shadow Copies and encrypts files.

New community threat hunting rule by Osman Demir allows uncovering signs of Snatch ransomware before data encryption process is started:

https://tdm.socprime.com/tdm/info/EpVnv99TsQAz/lUZfTnQBSh4W_EKGVf-Q/?p=1

The rule has translations for the following platforms:

SIEM: Azure Sentinel, ArcSight, QRadar, Splunk, Graylog, Sumo Logic, ELK Stack, RSA NetWitness, LogPoint, Humio

EDR: Carbon Black, Elastic Endpoint

MITRE ATT&CK: 

Tactics: Impact

Techniques: Data Encrypted for Impact (T1486)


Ready to try out SOC Prime TDM? Sign up for free. Or join Threat Bounty Program to craft your own content and share it with the TDM community.