By Heimdall: The Snatch Ransomware, in its operations, has affected various types of organizations, from the most varied segments. The group has apparently been active for approximately 5 years since it was first identified, adopting specific characteristics in its attacks, such as using a specific Windows service name and restarting Safe Mode to encrypt data.
In view of this, we present a summary of their history, an understanding of the attacks carried out, their modus operandi, TTPs according to MITRE ATT&CK and other relevant details, such as an analysis of the malware they use.
About Snatch Ransomware
According to records, the Snatch ransomware first appeared in 2018 and initially operated as a form of Ransomware-as-a-Service (RaaS). In 2019, it allegedly claimed its first victim in the US.
Originally, the group was known as Team Truniger, a nickname for an important member called Truniger. This individual acted as an affiliate of GrandCrab. The actors behind Snatch use a customized ransomware variant, notable for restarting devices in safe mode. This allows the ransomware to avoid detection by antivirus or endpoint protection and then encrypt files when few services are running.
As for the etymology of the name, the term "Snatch" is associated with the movie "Snatch" (2000). The ransom note contains the e-mail address imBoristheBlade@protonmail.com, which refers to the character in the movie named Boris Yurinov, nicknamed Boris "The Blade" or Boris "The Bullet-Dodger".
One of the first variants was identified in February 2019, showing different emails with the extension ".FileSlack" after encrypting the files.
Over time, the group added .onion sites so that victims could access them and start negotiating the payment. This approach allows the group of attackers to maintain greater anonymity and make it difficult to trace the transactions. It is a common tactic in ransomware operations, where criminals seek to obtain ransoms in cryptocurrencies, such as Bitcoin, to release victims' encrypted files. The negotiation takes place through these hidden sites on the Tor network (The Onion Router).
In this variant, the ransomware changed the name of the PC to ABCDE, as shown in another photo.
In addition, messages were identified on the underground forum from the persona "BulletToothTony", who published various types of advertisements. The name of this persona corresponds to the "Snatch" file.
As of December 2019, the Snatch ransomware began rebooting the PC to remove antivirus software and encrypt files. In addition, the Snatch Ransomware component is installed as a Windows service called "SuperBackupMan", which can be run reliably in Safe Mode.
The following key is written in the registry:
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SuperBackupMan:Default:Service
It is worth noting that SuperBackupMan cannot be interrupted or paused by the user while it is running. It then forces computers to restart in Safe Mode to disable any antivirus programs and encrypt files.
After rebooting the PC into Windows Safe Mode, the malware deletes all shadow copy file volumes to prevent the files from being recovered after their shadow copies have been encrypted.
In the next step, Snatch starts encrypting the files and can be run on Windows 7, 8 and 10 computers (x32 and x64). After identifying the last event in the Snatch group, related to the reboot operation, no new evidence was found to add to its story.
In September 2023, the FBI and CISA published an alert about the ransomware group, sharing information about its operations that will be covered below.
CISA and FBI Operation Report on Snatch Ransomware
The alert explains that Snatch threat actors have been observed purchasing previously stolen data from other ransomware variants in an attempt to further exploit victims into paying a ransom and preventing their data from being posted on the Snatch extortion blog.
One observation made by the FBI is that, since November 2021, the extortion site operating under the name Snatch has served as a clearing house for data exfiltrated or stolen from companies, whether on Clearnet or TOR. In August 2023, individuals claiming to be associated with the blog gave an interview to the media, claiming that the blog was not associated with the Snatch ransomware and that "none of our targets have been attacked by Snatch ransomware...", despite several confirmed Snatch victims appearing on the blog, along with victims associated with other ransomware groups, notably Nokoyawa and Conti.
It's worth noting that the owners of the aforementioned site have claimed to have "nothing to do" with the Snatch ransomware project that emerged in 2019 and existed for around 2 years.
These statements were collected by DataBreaches.net, where they claimed that Snatch Ransomware and Security Notification Attachment were different projects, which had started approximately a year earlier (at the time of the interview), and the work was mentioned on their websites. The group stated that it would not be Snatch Ransomware, but Snatch Team.
Therefore, there is little information on this group of ransomware.
Malware analysis
The ISH Malware Analysis team gained access to the potentially malicious artifact extracted from the security incident related to the ransomware attack on an architecture and urbanism company, identified with the signatures below:
An analysis of the artifact showed that this variant was compiled using the GoLang programming language, written for 64-bit architecture systems, with a size of 4.5 MB (4,695,552 bytes).
After performing a static analysis of this file, it was possible to verify that it has a compilation ID in the executable, obtaining the string:
Go build ID: "8G4DFSWsaKldkqmLUlue/sDX85TNDTybU_g7kqpMP/W1tefjYSczGjxhDBK2X4/nL6QH1oHX9GVW0rQgGie"
Among the functions that this executable uses, it executes the WriteFile function, which performs operations to write new files, and CreateFile, both of which manipulate files in the operating system.
After the static analysis resulted in only a few types of data, we proceeded with the dynamic analysis of the artifact, with the aim of understanding the real behavior of the artifact in relation to the operating system.
During the execution of this artifact, the creation of .bat files was observed, i.e. to execute certain functions and tasks in the operating system. These files have the following content:
The ransomware also creates the folder in the path:
C:\$SysReset
This first file corresponds to querying the system's boot partition, i.e. it checks the operating system's instructions for booting.
This file creates a service using Windows sc.exe. It defines the name of the service as "bRWukSamSs", specifies the path where the Ransomware executable is located and, finally, the name displayed in the service user interface for management, with automatic start-up: "Manages the security information of the wDaUSBfy user account".
The main focus of the artifact is to make changes for the normal startup of the operating system, including changing the registry key by adding values to the Registry using:
REG ADD "HKLM\SYSTEM\CurrentSet\Control\SafeBoot\Minimal\VSS /VE /T REG_SZ /F /D ServiceREG ADD "HKLM\SYSTEM\CurrentSet\Control\SafeBoot\Minimal\bRWukSamSs /VE /T REG_SZ /F /D Service
Finally, after dropping other bat files, it executes the Windows process called bcdedit.exe and then forces the operating system to reboot itself using the command in a batch file (.bat) in safe mode:
bcdedit.exe /set {current} safeboot minimalshutdown /r /f /t 00
In other words, in this case, the restart command is used with the restart parameters [r], using force [f], which forces any programs/processes to be terminated and [t], for time, which defines how long in seconds to restart.
When the computer is restarted and after the restart, this time in safe mode, the malware uses the Windows "net.exe" component to interrupt the service created and then uses the Windows vssadmin.exe component to delete all the "Shadow Copies" on the system, which ultimately prevents recovery of the encrypted files.
net stop bRWukSamSsvssadmin delete shadows /all /quiet
After that, the process of encrypting the files begins, just like any other type of Ransomware.
Therefore, we can conclude that the artifact is effectively Ransomware from the Snatch family, developed and compiled in the GoLang language, with a focus on 64-bit operating systems. It creates several .bat files on the operating system, which are listed in the Indicators of Compromise section of this report.
No network packets were requested or received, and this executable only ran on the host where it was started.
After encrypting the data, it creates ransom notes related to the attack:
In addition to the details mentioned, other commands were identified during the incidents, such as:
wmiadap.exe /F /T /R %windir%\System32\svchost.eve -k WerSvcGroupconhost.exe 0xFFFFFF -ForceV1vssadmin delete shadows /all /quietbcdedit.exe /set {current} safeboot minimalREG ADD HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VSS /VE /T REG_SZ /F /D Service
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mXoRpcSsx /VE /T REG_SZ /F /D ServiceREG QUERY HKLM\SYSTEM\CurrentControlSet\Control /v SystemStartOptions%CONHOST% "1088015358-1778111623-1306428145949291561678876491840500802412316031-33820320″C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" -flag-switches-begin -flag-switches-end -no-startup-window /prefetch:5cmd /d /c cmd /d /c cmd /d /c start " " C:\Users\grade1\AppData\Local\PRETTYOCEANluvApplication\PRETTYOCEANApplicationidf.bi.
Links and details
- Email domains:
sezname[.]cz
cock[.]li
airmail[.]cc
tutanota[.]com / tutamail[.]com / tuta[.]io
mail[.]fr
keemail[.]me
protonmail[.]com / proton[.]me
swisscows[.]email
- E-mail addresses used:
imBoristheBlade@protonmail.com
jimmtheworm@dicksinmyan.us
decrypter02@cumallover.me
piterpen02@keemail.me
sn.tchnews.top@protonmail[.]me
funny385@swisscows[.]email
funny385@proton[.]me
russellrspeck@seznam[.]cz
russellrspeck@protonmail[.]com
Mailz13MoraleS@proton[.]me
datasto100@tutanota[.]com
snatch.vip@protonmail[.]com
- TOX ids with operators:
CAB3D74D1DADE95B52928E4D9DFC003FF5ADB2E082F59377D049A91952E8BB3B419DB2FA9D3F
7229828E766B9058D329B2B4BC0EDDD11612CBCCFA4811532CABC76ACF703074E0D1501F8418
83E6E3CFEC0E4C8E7F7B6E01F6E86CF70AE8D4E75A59126A2C52FE9F568B4072CA78EF2B3C97
0FF26770BFAEAD95194506E6970CC1C395B04159038D785DE316F05CE6DE67324C6038727A58
- Mutexes created in the system:
\Sessions\1\BaseNamedObjects\gcc-shmem-tdm2-fc_key
\Sessions\1\BaseNamedObjects\gcc-shmem-tdm2-sjlj_once
\Sessions\1\BaseNamedObjects\gcc-shmem-tdm2-use_fc_key
gcc-shmem-tdm2-fc_key
gcc-hmem-tdm2-sjlj_once
gcc-shmem-tdm2-use_fc_key
- Bitcoin wallet
1NeXSHC2apVSiabH2QqxWLMqv2K7Z7usBX
13TvbUKYEAqwu3FP7RDu8vZhVucmUg9Zxy
- Websites:
hxxx//mydatassuperhero.com
hxxx//snatch6brk4nfczg.onion
hxxx://snatchh5ssxiorrn.onion and hxxx://krismalt.tk
TTPs - MITRE ATT&CK
Tactics | Technique | Details |
Recognition TA0043 | Gathers the victim's network information. T1590 | Snatch threat actors can collect information about the victim's networks that can be used during targeting. |
Resource Development TA0042 | Acquire infrastructure: Virtual Private Server T1583.003 | Snatch actors can rent virtual private servers (VPSs) that can be used during targeting. Agents acquire infrastructure from VPS service providers known for renting VPSs with minimal log information, allowing for more anonymous acquisition of infrastructure. |
TA0001 Home Access | Valid Accounts T1078 | The actors use compromised user credentials from criminal forums/marketplaces to gain access and maintain persistence on the victim's network. |
External Remote Services T1133 | Snatch agents exploit RDP weaknesses to brute-force and obtain administrator credentials for the victim organization's network. The actors use VPN services to connect to the victim's network. | |
Execution TA0002 | Command and Script Interpreter: Windows Command Shell T1059.003 | Snatch actors use batch files (.bat) during ransomware execution and data discovery. |
System Services: Execution of Services T1569.002 | Snatch actors can take advantage of various Windows tools to enumerate systems on the victim's network, using "sc.exe". | |
Persistence TA0003 | Valid accounts: Domain accounts. T1078.002 | Snatch actors compromise domain accounts to maintain persistence on the victim's network. |
Defense Evasion TA0004 | T1036 Masking | Snatch actors make the ransomware executable match the SHA-256 hash of a legitimate file to avoid rule-based detection. |
Removal of indicator: File deletion T1070.004 | Snatch actors delete batch files from a victim's file system as soon as execution is complete. | |
Modify records. T1112 | Threat actors modify Windows Registry keys to aid persistence and execution. | |
Damaging defenses: Disabling or modifying tools T1562.001 | The threat actors tried to disable a system's antivirus program to allow the ransomware to persist and run. |
Damaging defenses: Restarting in safe mode. T1562.009 | The agents abused Windows Safe Mode to bypass detection by antivirus or endpoint protection and encrypt files when few services are running. | |
Access to Credentials TA0006 | Brute Force: Password guessing T1110.001 | Snatch actors use brute force to obtain administrator credentials for the victim's network. |
Discovery TA0007 | Query T1012 records | Actors can interact with the Windows Logger to collect information about the system configuration and installed software. |
Process discovery T1057 | Threat actors seek information about the processes running on a system. | |
Lateral movement TA0008 | Remote Services: Desktop Protocol T1021.001 | Threat actors can use valid accounts to log into a computer using the remote desktop protocol. |
TA0009 Collection | Local system data T1005 | Capture threat actors' search systems to find files and folders of interest before exfiltration. |
Command and Control TA0011 | Application bed protocols: Web protocols T1071.001 | Threat actors establish connections over port 443 to combine C2 traffic with other web traffic. |
Exfiltration TA0010 | Exfiltration TA0010 | Snatch actors use the exfiltration technique to steal data from the victim's network. |
Impact TA0040 | Data encrypted for impact. T1486 | Threat actors have encrypted data on the target system or on a large number of systems in a network to disrupt the availability of system and network resources. |
Inhibit system recovery. T1490 | Snatch threat actors delete all volume shadow copies of the victim's file system to inhibit system recovery. |
References
- Heimdall by ISH Tecnologia
- FBI report - Ransomware Snatch published in September-2023