What banks need to know about Snatch ransomware

On Wednesday, the FBI and Cybersecurity and Infrastructure Security Agency warned companies about a strain of ransomware called Snatch after the group claimed it compromised a state government agency in Florida.

Reports have not revealed any financial institutions have fallen to Snatch ransomware, but the FBI and CISA said in a joint advisory that the group has targeted "a wide range of critical infrastructure sectors," including information technology companies that serve clients in other sectors. The group has also gone after the highly secure sector of defense industrial bases, according to the joint advisory.

The group has not apparently targeted banks or credit unions to date, but it does not appear to discriminate about victims, using opportunistic tactics that make automated breaching attempts against vulnerable and exposed services, according to cybersecurity firm Sophos.

The gang has also evolved its tactics over time, according to the FBI and CISA. The group first appeared in 2018 under the name Team Truniger, based on the nickname of a key group member. Snatch ransomware claimed its first U.S.-based victim in 2019. Since 2021, Snatch threat actors have taken advantage of trends in the cybercriminal space and leveraged successes of other ransomware operations.

The FBI identified Snatch ransomware as recently as June, and the group claimed on its dark web blog this week that it's attacked two companies — a clothing company based in France and a U.S.-based convenience store chain — and the Florida Department of Veterans' Affairs. The Florida VA, which another ransomware actor has attacked before, has not made any public statements about the claimed attack. A spokesman for the department said it was aware of Snatch's claim but declined to comment.

One trend that the group behind Snatch has adopted is offering its ransomware to affiliates, a tactic known as ransomware-as-a-service. Many ransomware actors have developed this tactic as a means of monetizing attacks and reaching a wider array of potential victims.

Ransomware-as-a-service topped the list of concerns that the Financial Services Information Sharing and Analysis Center, a cybersecurity consortium for banks, said this year are primary threats to banks and credit unions. While ransomware poses a direct threat to banks, FS-ISAC said in the report, it also poses a threat to their supply chain, such as the IT vendors that Snatch targets.

Another ransomware trend noted by cybersecurity firm Zscaler is ransomware actors skipping the encryption step in ransomware attacks, opting instead to simply steal data, announce the theft and offer to delete the data if the victim company pays a ransom.

"This tactic results in faster and larger profits for ransomware gangs by eliminating software development cycles and decryption support," Zscaler said about these so-called encryption-less ransomware attacks. "These attacks are also harder to detect and receive less attention from the authorities because they do not lock key files and systems or cause the downtime associated with recovery."

However, some evidence suggests that ransomware gangs are, for the most part, still encrypting data at a high rate. A Sophos survey earlier this year found that three in four organizations that suffered a ransomware attack reported that their data had been encrypted — the highest rate since 2020. Only 3% of organizations reported that their data was not encrypted but that they received a ransom demand; the remainder stopped the attacks before their data got encrypted.

Indeed, Snatch ransomware in particular employs a tactic specifically designed to make encrypting data easier to do and harder to detect. This tactic involves booting compromised Windows systems into, ironically, safe mode. Safe mode can disable certain services, such as endpoint detection and response tools, which companies deploy to detect and stop suspicious activities like malware running. Disabling these tools allows the ransomware to circumvent detection.

Cyber security

Ransomware, AI top list of threats driving up cyber insurance costs

A consortium of financial companies said premiums are rising despite a relatively low level of overall risk, causing some banks to reconsider their policies.

By Carter Pape

April 5

One tactic that some more sophisticated ransomware actors such as BlackCat (also known as Alphv) and Black Basta have adopted to avoid detection is partial or intermittent encryption. With this tactic, ransomware actors may encrypt only a part of each file, often the parts that most damage the data each file contains, according to cybersecurity firm SentinelOne. This strategy leaves pockmarks in files that can totally disable the software that depends on the files, or totally obfuscate the data in the file.

Finally, one novel tactic Snatch has adopted is cross-posting data stolen by other ransomware groups, according to the FBI and CISA. By posting the data stolen by other ransomware strains, the group behind Snatch can make further exploitation attempts against victims who initially refuse to pay ransoms.