Snatch gang ‘consistently evolved’ in targeting multiple industries, feds say

A Russia-based ransomware group is targeting organizations in the agriculture, IT and defense industries, according to an Wednesday advisory from U.S. cybersecurity agencies.

The FBI and Cybersecurity and Infrastructure Security Agency (CISA) spotlighted the Snatch ransomware gang, which has existed in various forms since 2018 but caused headlines in recent months over attacks on South Africa’s Defense Department, the Metropolitan Opera and the city government of Modesto, California.

As recently as June, the two agencies have investigated cases involving the ransomware group’s hackers, who use a command and control (C2) server located on a Russian bulletproof hosting service to launch their attacks.

Based on IP traffic from event logs provided by recent victims, Snatch initiates connections from the Russia-based server and through other virtual private network (VPN) services, the report said.

“Since mid-2021, Snatch threat actors have consistently evolved their tactics to take advantage of current trends in the cybercriminal space and leveraged successes of other ransomware variants’ operations,” the agencies said. “Snatch threat actors have targeted a wide range of critical infrastructure sectors including the Defense Industrial Base (DIB), Food and Agriculture, and Information Technology sectors.”

The advisory warns that the hackers are experienced and were originally known as “Team Truniger” based on the name of a key member who previously launched attacks using the now-defunct GandCrab ransomware.

The variant Snatch has used since its first attacks on U.S. organizations in 2019 is customized and is known by defenders by its ability to reboot devices into Safe Mode — a method used to circumvent antivirus software and endpoint protection.

The group has also been seen purchasing data stolen by other ransomware gangs and extorting victims for further ransoms. The report noted the group’s recent comments to Databreaches.net, in which they tried to argue that a flamboyant Telegram channel operating under the name Snatch was not connected to the ransomware gang.

The Telegram channel — which spent weeks this summer leaking highly classified documents stolen from South Africa’s Department of Defense — often boasted of attacks on victims who also appeared on the Snatch ransomware gang’s leak site. The Telegram channel was recently shut down for “copyright infringement” and the FBI noted that it hosted information stolen by other ransomware gangs like Conti and Nokoyawa.

The hackers typically communicate with victims through email and the Tox communication platform based on identifiers left in ransom notes or through their extortion blog.

But since November 2021, the FBI and CISA said some victims “reported receiving a spoofed call from an unknown female who claimed association with Snatch and directed them to the group’s extortion site.”

“In some instances, Snatch victims had a different ransomware variant deployed on their systems, but received a ransom note from Snatch threat actors. As a result, the victims’ data is posted on the ransomware blog involving the different ransomware variant and on the Snatch threat actors’ extortion blog,” they explained.

The advisory includes a list of email addresses and domains attached to the hackers, urging victims to call law enforcement in the event of an attack.

South Africa, Florida and Modesto

Snatch actors have caused significant damage to U.S. institutions. Police officers in Modesto, California were forced to revert back to pens, paper and radios in January after an attack on the city’s IT system.

The gang devastated a Wisconsin school district’s network in October 2022 and gained the attention of the U.S. Senate after stealing the sensitive data of more than 1.2 million patients during an attempted ransomware attack in May on one of the largest hospitals in Florida.

In addition to limiting services, the gang has stolen millions of Social Security numbers and IDs from their victims, including automaker Volvo, a Canadian airport and the Canadian Nurses Association.

Their attack last month on the Defense Department of South Africa nearly caused an international incident because it took place during an already controversial BRICS Summit in Johannesburg.

The gang leaked the personal phone number and email of the country’s president alongside a portion of the 1.6 terabytes of data stolen from the country’s defense systems. The government initially denied the attack before admitting that a breach did occur.

Nick Hyatt of cybersecurity company Optiv told Recorded Future News that between July 2022 and June 2023, his team tracked 70 attacks by Snatch across all verticals. Overwhelmingly, those attacks were focused on North America, he added.

On Monday, the gang added the Florida Department of Veterans' Affairs to its list of victims. The organization was previously attacked by the Quantum ransomware gang last May. At the time, a spokesperson for the department told Recorded Future News that under Florida law, “any suspected or confirmed cybersecurity breach is exempt from disclosure and said they “can’t confirm or deny.”