AdvisoriesCISAAA23-263ASeptember 20, 2023
September 20, 2023
Since its emergence in 2018, Snatch has been operating as a ransomware-as-a-service (RaaS) model, targeting victims in the U.S. by 2019. Originally known as Team Truniger, the group utilizes a customized ransomware variant that can evade antivirus and endpoint protection by rebooting devices into Safe Mode before encrypting files. Notably, Snatch threat actors have been observed purchasing stolen data from other ransomware variants to pressure victims into paying ransoms. Despite claims to the contrary, an extortion blog operating under the name Snatch has been associated with confirmed Snatch victims' data, along with victims from other ransomware groups like Nokoyawa and Conti since August 2023.
September 22, 2023
Bypassing security controls, such as EDR, is a common goal for a piece of malware to employ. Malware, including ransomware, that does this can often run an attack to completion. Snatch is no different. This ransomware attempts to bypass security controls by putting a Windows computer into safe mode -where many security processes are disabled - before starting its file encryption routine. It is recommended you disable write access to the registry key that toggles safe mode on and off. This mitigation can make it harder for Snatch to bootstrap its attack.
Be immediately notified of new advisories and associated security tests
AdvisoryCISAAA24-207AJuly 25, 2024
