Modesto, California, welcome arch
The welcome arch for Modesto, California. Image: Jimmy Everson, DVM / Flickr / CC BY-NC-ND 2.0

Ransomware group takes credit for February attack on city of Modesto

A ransomware attack on the city of Modesto has been claimed by a long-running cybercrime operation more than one month after the local government confirmed it was attacked.

The Snatch group took credit for the incident, but did not say how much data was taken or when it would be released.

The announcement comes as the effects of the attack are coming into focus. Andrew Gonzales, legislative affairs manager for the Northern California city, told The Record on Tuesday that said the government was able to “significantly reduce the size, scope, and impact of the attack.”

Gonzales did not respond to questions about whether a ransom would be paid or how high the ransom was.

Modesto officials initially told The Record on February 10 they were facing issues with computer systems and had disconnected portions of the network in response. The attack came right as the city of Oakland — about an hour and a half away — was experiencing its own ransomware incident.

Several outlets reported at the time that the Modesto attack crippled police car laptops, forcing the police department to revert back to radios and write down the details of dispatch calls by hand.

In breach notification letters sent out to city residents on March 8, officials said the attack began on January 31 and hackers were in government systems until February 3, when the city’s IT department began to notice effects of the attack. The hackers accessed names, addresses, Social Security numbers, medical information included in work status reports, driver’s license numbers, and state-issued identification numbers.

The attack was limited to the police department, Gonzales told a local news outlet on March 2.

Screenshot of Snatch's post about Modesto, California.

While touting the efforts to contain the incident, the city acknowledged the sensitivity of the breached information and said it will work with victims to help secure their data going forward.

“Our world is extremely interconnected and cyber threats have become so diverse that simply having the right technical tools in place isn’t enough to prevent attacks from happening and mitigating the fallout,” Gonzales said. “It’s important to consider the human element and ensure that there is a well-trained team of experts who know what to do when something goes wrong.”

Running quietly

Extortion negotiation company Coveware told researchers from Sophos in 2019 that in its 12 negotiations with the Snatch group, the criminals typically demanded between $2,000 and $35,000 worth of bitcoin.

Sophos noted that Snatch stood out among other ransomware groups because it forces Windows machines to reboot into Safe Mode before beginning the encryption process — a technique intended to get around endpoint protection tools that often don’t run in Safe Mode.

Since 2019, the group has been implicated in a number of high-profile attacks, including the Metropolitan Opera, a school district in Wisconsin and Swedish automaker Volvo.

Recorded Future ransomware expert Allan Liska said Snatch is one of the smaller ransomware groups and never moved to a ransomware-as-a-service model, which has allowed it to fly under the radar despite having been around since 2018.

“We usually only see one or two victims a month posted to their extortion site. That being said, they have been active in posting so far this month with 5 attacks posted, including the Metropolitan Opera,” Liska said.

“We haven’t seen any data posted by Snatch yet, but they don’t usually exaggerate or outright lie about claims.”

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles

Jonathan Greig

Jonathan Greig

is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.