SUMMARY
Note: This joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit stopransomware.gov to see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources.
The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint CSA to disseminate known ransomware IOCs and TTPs associated with the Snatch ransomware variant identified through FBI investigations as recently as June 1, 2023.
Since mid-2021, Snatch threat actors have consistently evolved their tactics to take advantage of current trends in the cybercriminal space and leveraged successes of other ransomware variants’ operations. Snatch threat actors have targeted a wide range of critical infrastructure sectors including the Defense Industrial Base (DIB), Food and Agriculture, and Information Technology sectors. Snatch threat actors conduct ransomware operations involving data exfiltration and double extortion. After data exfiltration often involving direct communications with victims demanding ransom, Snatch threat actors may threaten victims with double extortion, where the victims’ data will be posted on Snatch’s extortion blog if the ransom goes unpaid.
FBI and CISA encourage organizations to implement the recommendations in the Mitigations section of this CSA to reduce the likelihood and impact of ransomware incidents.
Download the PDF version of this report:
For a downloadable copy of IOCs, see:
TECHNICAL DETAILS
Note: This advisory uses the MITRE ATT&CK for Enterprise framework, version 13. See the MITRE ATT&CK Tactics and Techniques section for a table of the threat actors’ activity mapped to MITRE ATT&CK® tactics and techniques. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool.
First appearing in 2018, Snatch operates a ransomware-as-a-service (RaaS) model and claimed their first U.S.-based victim in 2019. Originally, the group was referred to as Team Truniger, based on the nickname of a key group member, Truniger, who previously operated as a GandCrab affiliate. Snatch threat actors use a customized ransomware variant notable for rebooting devices into Safe Mode [T1562.009], enabling the ransomware to circumvent detection by antivirus or endpoint protection, and then encrypting files when few services are running.
Snatch threat actors have been observed purchasing previously stolen data from other ransomware variants in an attempt to further exploit victims into paying a ransom to avoid having their data released on Snatch’s extortion blog. Note: Since November 2021, an extortion site operating under the name Snatch served as a clearinghouse for data exfiltrated or stolen from victim companies on Clearnet and TOR hosted by a bulletproof hosting service. In August 2023, individuals claiming to be associated with the blog gave a media interview claiming the blog was not associated with Snatch ransomware and “none of our targets has been attacked by Ransomware Snatch…â€, despite multiple confirmed Snatch victims’ data appearing on the blog alongside victims associated with other ransomware groups, notably Nokoyawa and Conti.[1]
Initial Access and Persistence
Snatch threat actors employ several different methods to gain access to and maintain persistence on a victim’s network. Snatch affiliates primarily rely on exploiting weaknesses in Remote Desktop Protocol (RDP) [T1133] for brute-forcing and gaining administrator credentials to victims’ networks [T1110.001]. In some instances, Snatch affiliates have sought out compromised credentials from criminal forums/marketplaces [T1078].
Snatch threat actors gain persistence on a victim’s network by compromising an administrator account [T1078.002] and establishing connections over port 443 [T1071.001] to a command and control (C2) server located on a Russian bulletproof hosting service [T1583.003]. Per IP traffic from event logs provided by recent victims, Snatch threat actors initiated RDP connections from a Russian bulletproof hosting service and through other virtual private network (VPN) services [T1133].
Data Discovery and Lateral Movement
Snatch threat actors were observed using different TTPs to discover data, move laterally, and search for data to exfiltrate. Snatch threat actors use sc.exe to configure, query, stop, start, delete, and add system services using the Windows Command line. In addition to sc.exe, Snatch threat actors also use tools such as Metasploit and Cobalt Strike [S0154].
Prior to deploying the ransomware, Snatch threat actors were observed spending up to three months on a victim’s system. Within this timeframe, Snatch threat actors exploited the victim’s network [T1590], moving laterally across the victim’s network with RDP [T1021.001] for the largest possible deployment of ransomware and searching for files and folders [T1005] for data exfiltration [TA0010] followed by file encryption [T1486].
Defense Evasion and Execution
During the early stages of ransomware deployment, Snatch threat actors attempt to disable antivirus software [T1562.001] and run an executable as a file named safe.exe or some variation thereof. In recent victims, the ransomware executable’s name consisted of a string of hexadecimal characters which match the SHA-256 hash of the file in an effort to defeat rule-based detection [T1036]. Upon initiation, the Snatch ransomware payload queries and modifies registry keys [T1012][T1112], uses various native Windows tools to enumerate the system [T1569.002], finds processes [T1057], and creates benign processes to execute Windows batch (.bat) files [T1059.003]. In some instances, the program attempts to remove all the volume shadow copies from a system [T1490]. After the execution of the batch files, the executable removes the batch files from the victim’s filesystem [T1070.004].
The Snatch ransomware executable appends a series of hexadecimal characters to each file and folder name it encrypts—unique to each infection—and leaves behind a text file titled HOW TO RESTORE YOUR FILES.TXT in each folder. Snatch threat actors communicate with their victims through email and the Tox communication platform based on identifiers left in ransom notes or through their extortion blog. Since November 2021, some victims reported receiving a spoofed call from an unknown female who claimed association with Snatch and directed them to the group’s extortion site. In some instances, Snatch victims had a different ransomware variant deployed on their systems, but received a ransom note from Snatch threat actors. As a result, the victims’ data is posted on the ransomware blog involving the different ransomware variant and on the Snatch threat actors’ extortion blog.
Indicators of Compromise (IOCs)
The Snatch IOCs detailed in this section were obtained through FBI investigations from September 2022 through June 2023.
Email Domains and Addresses
Since 2019, Snatch threat actors have used numerous email addresses to email victims. Email addresses used by Snatch threat actors are random but usually originate from one of the following domains listed in Tables 1 and 2:
|
Email Domains |
|
sezname[.]cz |
|
cock[.]li |
|
airmail[.]cc |
Table 2 shows a list of legitimate email domains offering encrypted email services that have been used by Snatch threat actors. These email domains are all publicly available and legal. The use of these email domains by a threat actor should not be attributed to the email domains, absent specific articulable facts tending to show they are used at the direction or under the control of a threat actor.
|
Email Domains |
|
tutanota[.]com / tutamail[.]com / tuta[.]io |
|
mail[.]fr |
|
keemail[.]me |
|
protonmail[.]com / proton[.]me |
|
swisscows[.]email |
The email addresses listed in Table 3 were reported by recent victims.
|
Email Addresses |
|---|
|
TOX Messaging IDs |
|---|
|
CAB3D74D1DADE95B52928E4D9DFC003FF5ADB2E082F59377D049A91952E8BB3B419DB2FA9D3F |
|
7229828E766B9058D329B2B4BC0EDDD11612CBCCFA4811532CABC76ACF703074E0D1501F8418 |
|
83E6E3CFEC0E4C8E7F7B6E01F6E86CF70AE8D4E75A59126A2C52FE9F568B4072CA78EF2B3C97 |
|
0FF26770BFAEAD95194506E6970CC1C395B04159038D785DE316F05CE6DE67324C6038727A58 NOTE: According to ransom notes, this is a “Customer service†TOX to reach out to if the original TOX ID does not respond. |
|
Folder Creation |
|---|
|
C:$SysReset |
|
Filenames |
SHA-256 |
|
qesbdksdvnotrjnexutx.bat |
0965cb8ee38adedd9ba06bdad9220a35890c2df0e4c78d0559cd6da653bf740f |
|
eqbglqcngblqnl.bat |
1fbdb97893d09d59575c3ef95df3c929fe6b6ddf1b273283e4efadf94cdc802d |
|
safe.exe |
5950b4e27554585123d7fca44e83169375c6001201e3bf26e57d079437e70bcd |
|
safe.exe |
7018240d67fd11847c7f9737eaaae45794b37a5c27ffd02beaacaf6ae13352b3 |
|
safe.exe |
28e82f28d0b9eb6a53d22983e21a9505ada925ebb61382fabebd76b8c4acff7c |
|
safe.exe |
fc31043b5f079ce88385883668eeebba76a62f77954a960fb03bf46f47dbb066 |
|
DefenderControl.exe |
a201f7f81277e28c0bdd680427b979aee70e42e8a98c67f11e7c83d02f8fe7ae |
|
PRETTYOCEANApplicationdrs.bi |
6992aaad3c47b938309fc1e6f37179eb51f028536f8afc02e4986312e29220c0 |
|
Setup.exe |
510e9fa38a08d446189c34fe6125295f410b36f00aceb65e7b4508e9d7c4e1d1 |
|
WRSA.exe |
ed0fd61bf82660a69f5bfe0e66457cfe56d66dd2b310e9e97657c37779aef65d |
|
ghnhfglwaplf.bat |
2155a029a024a2ffa4eff9108ac15c7db527ca1c8f89ccfd94cc3a70b77cfc57 |
|
nllraq.bat |
251427c578eaa814f07037fbe6e388b3bc86ed3800d7887c9d24e7b94176e30d |
|
ygariiwfenmqteiwcr.bat |
3295f5029f9c9549a584fa13bc6c25520b4ff9a4b2feb1d9e935cc9e4e0f0924 |
|
bsfyqgqeauegwyfvtp.bat |
6c9d8c577dddf9cc480f330617e263a6ee4461651b4dec1f7215bda77df911e7 |
|
rgibdcghzwpk.bat |
84e1476c6b21531de62bbac67e52ab2ac14aa7a30f504ecf33e6b62aa33d1fe5 |
|
pxyicmajjlqrtgcnhi.bat |
a80c7fe1f88cf24ad4c55910a9f2189f1eedad25d7d0fd53dbfe6bdd68912a84 |
|
evhgpp.bat |
b998a8c15cc19c8c31c89b30f692a40b14d7a6c09233eb976c07f19a84eccb40 |
|
eqbglqcngblqnl.bat |
1fbdb97893d09d59575c3ef95df3c929fe6b6ddf1b273283e4efadf94cdc802d |
|
qesbdksdvnotrjnexutx.bat |
0965cb8ee38adedd9ba06bdad9220a35890c2df0e4c78d0559cd6da653bf740f |
|
HOW TO RESTORE YOUR FILES.TXT |
|
Filenames |
SHA-1 |
|
safe.exe |
c8a0060290715f266c89a21480fed08133ea2614 |
|
Commands |
|
wmiadap.exe /F /T /R |
|
%windir%System32svchost.eve –k WerSvcGroup |
|
conhost.exe 0xFFFFFFFF -ForceV1 |
|
vssadmin delete shadows /all /quiet |
|
bcdedit.exe /set {current} safeboot minimal |
|
REG ADD HKLMSYSTEMCurrentControlSetControlSafeBootMinimalVSS /VE /T REG_SZ /F /D Service |
|
REG ADD HKLMSYSTEMCurrentControlSetControlSafeBootMinimalmXoRpcSsx /VE /T REG_SZ /F /D Service |
|
REG QUERY HKLMSYSTEMCurrentControlSetControl /v SystemStartOptions |
|
%CONHOST% “1088015358-1778111623-1306428145949291561678876491840500802412316031-33820320 |
|
“C:Program Files (x86)MicrosoftEdgeApplicationmsedge.exe” –flag-switches-begin –flag-switches-end –no-startup-window /prefetch:5 |
|
cmd /d /c cmd /d /c cmd /d /c start ” ” C:Usersgrade1AppDataLocalPRETTYOCEANluvApplicationPRETTYOCEANApplicationidf.bi. |
|
Registry Keys |
|---|
|
HKLMSOFTWAREMicrosoftWindows Media Player NSS3.0ServersD8B548F0-E306-4B2B-BD82-25DAC3208786FriendlyName |
|
HKUS-1-5-21-4270068108-2931534202-3907561125-1001SoftwareMicrosoftWindowsCurrentVersionShell ExtensionsCached{ED50FC29-B964- |
|
Source |
Message |
|
TerminalServices-RemoteConnectionManager |
Remote session from client name exceeded the maximum allowed failed logon attempts. The session was forcibly terminated. |
|
Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall |
A rule was added (Event 2004) or modified (Event 2005) in the Windows Defender Firewall exception list. All rules included action “Allow†and rule name included “File and Printer Sharing†|
|
Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall |
A Windows Defender Firewall setting was changed in private, public, and domain profile with type “Enable Windows Defender Firewall†and value of “noâ€. |
|
Microsoft-Windows-TaskScheduler%4Operational |
Instance of process C:Windowssvchost.exe. (Incorrect file location, should be C:WindowsSystem32svchost.exe) |
|
Mutexes Created |
|---|
|
Sessions1BaseNamedObjectsgcc-shmem-tdm2-fc_key |
|
Sessions1BaseNamedObjectsgcc-shmem-tdm2-sjlj_once |
|
Sessions1BaseNamedObjectsgcc-shmem-tdm2-use_fc_key |
|
gcc-shmem-tdm2-fc_key |
|
gcc-hmem-tdm2-sjlj_once |
|
gcc-shmem-tdm2-use_fc_key |
MITRE ATT&CK TACTICS AND TECHNIQUES
See Tables 4-16 for all referenced threat actor tactics and techniques in this advisory.
|
Technique Title |
ID |
Use |
|---|---|---|
|
Gather Victim Network Information |
Snatch threat actors may gather information about the victim’s networks that can be used during targeting. |
|
Technique Title |
ID |
Use |
|
Acquire Infrastructure: Virtual Private Server |
Snatch threat actors may rent Virtual Private Servers (VPSs) that can be used during targeting. Snatch threat actors acquire infrastructure from VPS service providers that are known for renting VPSs with minimal registration information, allowing for more anonymous acquisitions of infrastructure. |
|
Technique Title |
ID |
Use |
|
Valid Accounts |
Snatch threat actors use compromised user credentials from criminal forums/marketplaces to gain access and maintain persistence on a victim’s network. |
|
|
External Remote Services |
Snatch threat actors exploit weaknesses in RDP to perform brute forcing and gain administrator credentials for a victim’s network. Snatch threat actors use VPN services to connect to a victim’s network. |
|
Technique Title |
ID |
Use |
|---|---|---|
|
Command and Scripting Interpreter: Windows Command Shell |
Snatch threat actors may use batch files ( |
|
|
System Services: Service Execution |
Snatch threat actors may leverage various Windows tools to enumerate systems on the victim’s network. Snatch ransomware used |
|
Technique Title |
ID |
Use |
|---|---|---|
|
Valid Accounts: Domain Accounts |
Snatch threat actors compromise domain accounts to maintain persistence on a victim’s network. |
|
Technique Title |
ID |
Use |
|---|---|---|
|
Masquerading |
Snatch threat actors have the ransomware executable match the |
|
|
Indicator Removal: File Deletion |
Snatch threat actors delete batch files from a victim’s filesystem once execution is complete. |
|
|
Modify Registry |
Snatch threat actors modify Windows Registry keys to aid in persistence and execution. |
|
|
Impair Defenses: Disable or Modify Tools |
Snatch threat actors have attempted to disable a system’s antivirus program to enable persistence and ransomware execution. |
|
|
Impair Defenses: Safe Mode Boot |
Snatch threat actors abuse Windows Safe Mode to circumvent detection by antivirus or endpoint protection and encrypt files when few services are running. |
|
Technique Title |
ID |
Use |
|---|---|---|
|
Brute Force: Password Guessing |
Snatch threat actors use brute force to obtain administrator credentials for a victim’s network. |
|
Technique Title |
ID |
Use |
|---|---|---|
|
Query Registry |
Snatch threat actors may interact with the Windows Registry to gather information about the system, configuration, and installed software. |
|
|
Process Discovery |
Snatch threat actors search for information about running processes on a system. |
|
Technique Title |
ID |
Use |
|---|---|---|
|
Remote Services: Remote Desktop Protocol |
Snatch threat actors may use Valid Accounts to log into a computer using the Remote Desktop Protocol. |
|
Technique Title |
ID |
Use |
|---|---|---|
|
Data from Local System |
Snatch threat actors search systems to find files and folders of interest prior to exfiltration. |
