Snatch Ransomware: Just One More Threat to Corporate Networks

Delaware, USA – December 10, 2019 – The relatively new ransomware strain is used in targeted attacks on organizations, and its authors are looking for affiliates with access to corporate networks. During an investigation of the ransomware outbreak in one of the customers, researchers at Sophos drew attention to Snatch ransomware, which appeared about a year ago and has been actively distributed since April. A distinctive feature of this malware is the rebooting of the system in Safe Mode before deleting Volume Shadow Copies and encrypting files. Attackers search for exposed services and conduct automated brute-force attacks to access a victim’s network via RDP and gain an initial foothold. The next steps of the attack are to obtain admin access to the Domain Controller and reconnaissance, which takes from three days to several weeks. Adversaries use multiple tools including PsExec, IObit Uninstaller, Process Hacker, and PowerTool to gather detailed information about users and the network and disable antimalware solutions before installing Snatch ransomware.

The targets of this group’s attacks were located in North America and Europe. Researchers contacted one of the companies specialized in extortion negotiations between victims and adversaries and found out that the appetite of the attackers was growing along with the demands of “big” players like Ryuk or Sodinokibi: in July, cybercriminals demanded $2,000 for decrypting files, and in October – $35,000. It is also known that the group is Russian-speaking and conducts free training for Russian-speaking affiliates only, so the number of attacks using Snatch ransomware will increase.

You can use the Brute Force Detection rule pack to discover attacks of these cybercriminals on your infrastructure. It helps your SIEM to spot attempts of password guessing and provide analysis of authentication events: https://my.socprime.com/en/integrations/brute-force-detection
IOCs-based community rues to detect Snatch ransomware – https://tdm.socprime.com/tdm/info/sG12jPLP3NJF/