Snatch's C2 servers operate mostly, it seems, from Russia (without love).
CISA, FBI warn of Snatch ransomware.
The US Cybersecurity and Infrastructure Security Agency (CISA) and the FBI have released a joint Cybersecurity Advisory outlining tactics, techniques, and procedures (TTPs) associated with the Snatch ransomware: “Since mid-2021, Snatch threat actors have consistently evolved their tactics to take advantage of current trends in the cybercriminal space and leveraged successes of other ransomware variants’ operations. Snatch threat actors have targeted a wide range of critical infrastructure sectors including the Defense Industrial Base (DIB), Food and Agriculture, and Information Technology sectors. Snatch threat actors conduct ransomware operations involving data exfiltration and double extortion. After data exfiltration often involving direct communications with victims demanding ransom, Snatch threat actors may threaten victims with double extortion, where the victims’ data will be posted on Snatch’s extortion blog if the ransom goes unpaid.”
An evolution, but a technically modest evolution.
Many of the steps the Snatch operators have been observed taking don't evince a deep technical sophistication. They've exploited weaknesses in remote desktop protocol instances, and they've also purchased stolen credentials in criminal fora. Once they've achieved access to a target, they seek to compromise an administrator account and then connections to a command-and-control (C2) server over port 443. The C2 servers are, unsurprisingly, generally ocated on a Russian bulletproof hosting service.
Compromised credentials and brute forcing.
James McQuiggan, Security Awareness Advocate at KnowBe4, observed that a five-year track record shows both persistence and the way simple tactics pay off for criminals. “Being active since 2018 demonstrates how Snatch has the persistent nature of most cybercriminal groups and the importance of ongoing vigilance," he wrote. "Using compromised credentials and RDP brute forcing for initial access, it sends a message to organizations to lock down internet-facing RDP and enforce strong password policies with multi-factor authentication across all users to reduce this attack vector. Like many other ransomware groups, they like to dwell within the networks, soaking up as much data and intel about the organization. These actions reiterate the need for rapid threat detection and response before ransomware executes. Ransomware remains a severe threat, but adversaries are not invincible. Cybersecurity teams can significantly reduce risk by implementing the measures suggested in the CISA advisory, including least privilege, patching, segmentation, and backups. As cybercriminals continue to innovate, so must cybersecurity teams within organizations. Cybersecurity professionals can stay one step ahead of the threat landscape and reduce the risk of attacks by fostering a robust security culture of continuous learning, collaboration, and adaptation.”
Colin Little, security engineer at Centripetal, used the occasion of the Joint Advisory to highlight some themes in organizational defense. “This CISA advisory is a noteworthy example of several primary challenges in breach prevention:
- “The organization of cybercrime in the world today is at unprecedented levels, with uninterrupted access to communications as well as a flourishing economy in which stolen information is a commodity.
- “Several ‘tried and true’ tools upon which threat actors can rely to ensure a complete kill chain, such as Cobalt Strike.
- “The ability to ‘live off the land’ by weaponizing operational and administrative features such as RDP and Windows Safe Mode.
- “Most importantly, the ability to reach across the internet and penetrate the attack surface via remote access tools from fairly obvious high-risk sources, such as a ‘from a Russian bulletproof hosting service and through other virtual private network (VPN) services.’
“Attack surface protection can provide not only cover and concealment from these types of attacks, but visibility into what the attack surface looks like as well.”