The Joint Cybersecurity Advisory (CSA) has released a security warning regarding Snatch.
What happened
The FBI, alongside the Cybersecurity and Infrastructure Security Agency (CISA), teamed up to release this CSA warning regarding Snatch, a Russia-based ransomware group.
The security release is part of their ongoing efforts to #StopRansomware, where the FBI and CISA frequently highlight rising ransomware groups with techniques to help prevent attacks.
The release includes information about Snatch's tactics, techniques, and procedures (TTPs) as well as known indicators of compromise (IOCs).
The advisory comes after Snatch had successfully breached multiple organizations, including a hospital in Maine with over 24,000 patients impacted.
Read more: #StopRansomware Guide released by the U.S. Joint Ransomware Task Force
Going deeper
The report details that Snatch first appeared in 2018 using a ransomware-as-a-service model and completed its first breach against US victims in 2019.
Uniquely, Snatch's model is known for rebooting devices into Safe Mode, which allows the ransomware to circumvent detection. Snatch is also known to have purchased data previously stolen by other groups in an effort to exploit victims further.
Snatch and other ransomware organizations have begun using remote access tools to infiltrate computer systems.
The CSA recommends organizations regularly audit remote access tools, review logs for execution of remote access software, use security software, and more to help prevent groups like Snatch from successfully infiltrating organizations. Their full list of recommendations can be found in the report.
What they are saying
According to the CSA, "Snatch threat actors have consistently evolved their tactics to take advantage of current trends in the cybercriminal space and leveraged successes of other ransomware variants' operations."
The CSA also said that Snatch has threatened victims with double extortion, where "the victims' data will be posted on Snatch's extortion blog if the ransom goes unpaid."
According to an interview with Nick Hyatt, a cybersecurity expert, his cybersecurity company tracked 70 attacks by Snatch between July 2022 and June 2023.
Why it matters
As the CSA said, Snatch has been able to evolve its tactics and systems to better infiltrate organizations.
Snatch hasn't just affected organizations in the US but around the world. By charging victims exorbitant amounts to prevent data leaks, Snatch can put significant economic pressure on the organizations they target.
Falling victim to a ransomware attack doesn't just lead to security concerns; it can have long-lasting impacts on an organization's financial status. If an organization could have prevented the attack, it may also face legal action.
Related: Data breach results in several class action lawsuits against Harvard Pilgrim Health Care
The bottom line
Healthcare organizations should pay close attention to security guidances issued by the CSA. IT and security employees should also thoroughly understand the current methods and tactics groups like Snatch are using to infiltrate organizations.
Related: HIPAA Compliant Email: The Definitive Guide
Abby Grifno
