The FBI and CISA issued a Joint Cybersecurity Advisory “#StopRansomware: Snatch Ransomware” on September 20, 2023. The Advisory outlines the indicators of compromise and observed tactics, techniques, and procedures of Snatch so organizations can identify, mitigate, and respond to an attack using the Snatch ransomware variant.
Snatch has been hitting the Defense Industrial Base (DIB), Food and Agriculture and Information Technology sectors. “Snatch threat actors conduct ransomware operations involving data exfiltration and double extortion. After data exfiltration often involving direct communications with victims demanding ransom, Snatch threat actors may threaten victims with double extortion, where the victims’ data will be posted on Snatch’s extortion blog if the ransom goes unpaid.”
The malicious email domains used by Snatch are: sezname[.]cz; cock[.]li and airmail[.]cc. The legitimate emails domains used by Snatch are: tutanota[.]com / tutamail[.]com / tuta[.]io; mail[.]fr; keemail[.]me; protonmail[.]com / proton[.]me; and swisscows[.]email.
FBI and CISA provide recommendations to mitigate a Snatch attack, including:
- Secure and closely monitor Remote Desktop Protocol (RDP).
- Maintain offline backups of data.
- Enable and enforce phishing-resistant multifactor authentication (MFA).