FBI and CISA issue warning about dangerous new ransomware strain

Snatch ransomware activity is on the rise, businesses warned

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

The U.S. Cybersecurity and Infrastructure Agency (CISA) and the Federal Bureau of Investigation (FBI) have issued a security advisory warning organizations about the Snatchransomwareoperation.

The advisory is part of the pairs #StopRansomware campaign, in which the two detail the tactics, techniques, and procedures (TTP), as well as indicators of compromise (IOC), of currently active and disruptive ransomware operations, in hopes of helping organizations protect against the threats a little better.

Even though Snatch first appeared sometime in 2018, the data the two organizations provide is relatively new, with some investigation data dating in early June this year. As per the advisory, Snatch is a ransomware-as-a-service model, by which different threat actor groups rent out the encryptor, and the infrastructure, in order to run ransomware campaigns.

Evolution in tactics

While Snatch threat actors kept “consistently” evolving their threat tactics, the advisory reads, they kept in line with what the majority did - they exfiltrated and encrypted sensitive data, then demanded payment in exchange for the decryption key, and in exchange for not leaking the data on the dark web.

“FBI and CISA encourage organizations to implement the recommendations in theMitigations sectionof this CSA to reduce the likelihood and impact of ransomware incidents,” the two said.

Back in December 2019, Snatch ransomware was found rebooting infected computers into Safe Mode, to bypass security solutions. This version was discovered by security researchers from the Sophos Managed Threat Response team and SophosLabs, which said that no security tools work in Safe Mode, allowing Snatch to encrypt the files unabated.

In a report on SiliconANGLE, it was said that more recent Snatch victims include the Florida Department of Veteran’s Affairs, Zilli, CEFCO Inc., the South African Department of Defense and the Briars Group Ltd.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Michael Mumcuoglu, co-founder and chief executive of posture management company CardinalOps Ltd., told the same publication that Snatch’s operators were more active over the past year and a half.

ViaInfosecurity Magazine

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Dangerous Android banking malware looks to trick victims with fake money transfers

Sophos Firewall hack on government network used an all-new custom malware

Don’t wait until Black Friday, this year’s best Nintendo Switch bundles are on sale now