November 13, 2022
Snatch groups became active relatively long ago - the first cases were reported in 2018. Like Matrix ransomware, Snatch uses the trick with Windows Safe Mode and privileged service. After the injection, ransomware creates a Windows service, and gives it the permission to startup even in the Safe Mode, using certain registry keys. This service uses the executive files of ransomware as its basis, so each time you boot your PC you launch the virus. Safe Mode is needed to prevent the launch of anti-malware tools, installed on your PC.
Besides disabling the third-party antiviruses in such a way, Snatch ransomware also suspends Windows Defender in a well-known way - through editing the Group Policies. Moreover, to prevent any recovery attempts, this ransomware removes the Volume Shadow Copies and the backups which were created with basic Windows functionality. Such behavior is not new - the majority of ransomware variants that are aiming at corporations do the same.
Snatch ransomware, just like a lot of other ransomware families, uses the ransomware-as-a-service (RaaS) distribution tactics. That scheme means that the creators of the ransomware have no relation to the people who distribute it. They sell the ransomware samples in the Darknet, offering the buyers a pretty big profit during a certain period for money sum paid now. Such a scheme allows the malware developers to stay uncovered for an extremely long time, compared to the ransomware groups that develop and distribute their “products” on their own.
|File pattern||%filename% . %original_extension% . %ransomware_extension%|
|Features||Exploits the PowerShell breaches to make itself more sustainable in the system|
|Damage||Disables MS Defender and Volume Shadow Copies, steals the corporate data|
|Distribution||Exploiting the RDP security breaches|
But Snatch group shows a significant contrast in this similarity. They do not just sell their ransomware to third parties, they offer their future affiliates to get a course of malware spreading techniques. The best “students”, as the creator assures, will get an already set up Metasploit server. As crooks say, they need the qualified employees who “have access to the RDP\VNC\TeamViewer\WebShell\SQL inj” (SQL injection). Pretty effective tactics when you need to get skilled partners who will show much higher efficiency than boys from the next door.
Snatch ransomware is surely developed by Russians, or russian-speaking citizens of the Commonwealth of Independent Countries. Such a fact is proven by their posts on the Darknet forum, where they claimed about their “recruiting program”:
“We are hiring the adverts with the access to RDP\VNC\TeamViewer\WebShell\SQL inj to the corporate networks, shops, and other companies.
More information is in PMs [Private Messages - author]. Describe shortly the questions you want to be answered, as well as types of data and other details. That will increase the chance of fast answering. Let’s respect each other’s time.
P.S. Recruiting campaign is over, a group is created and training is going already. A new recruiting wave will be announced in the first topic. Please, don’t PM me about studying.”
Another fact that ensures the Slavic nature of Snatch ransomware is the fact that they refuse to hire English speaking users:
How is it injected?
Through the big variety of methods, Snatch ransomware group has chosen one that is definitely the most effective for corporate attacks. Remote Desktop Protocol (RDP) vulnerabilities can easily be used to get inside the network and infect as many computers as possible. Since not all users know how to establish a secure connection through the RDP, it is quite easy to find the security breach in almost every corporation. RDP exploiting requires the specific port to be opened - and this port is usually used by default for the remote connections.
This spreading method became extremely effective during the total lockdowns when employees were forced to work from home and use RDP to connect to their workstations in the office. That’s why ransomware groups who exploited that vulnerable technology covered themselves in gold - the more the users - the bigger the chance to find the security breach and infect the corporate network.
After the successful injection, Snatch ransomware attempts to brute force the domain controller (DC). DC is usually a system administrator’s computer, which takes control of the whole network. If the fraudsters get access to the DC - your network is nearly dead. They will have no problem encrypting every computer in the network, even if they previously failed to brute force the credentials for that PC.
Besides the encryption module, ransomware also carries a pack of legit programs that are used for malevolent purposes. For example, Snatch ransomware has the Windows utility Advanced Port Scanner - exactly, for scanning the RDP ports for the vulnerable ports that have been possibly left open. IOBit Uninstaller, PowerTool, PsExec, and several other programs are used to delete the antivirus tool - to prevent the malware removal in case the user rebooted the PC manually.
Bring me action
Snatch ransomware encrypts the files it can reach with the AES-256 encryption. That cipher is widely used by different ransomware groups, sometimes even in the combination with other encryption algorithms - RSA-2048, for example. It is likely impossible to decrypt it with commonly used ways - brute force or guessing, and there is no way to get it somehow from the ransomware binary code. The key for each encryption case is stored on the server, maintained by ransomware distributors - those guys who were “taught by crooks.
There are also no facts of data stealing by the Snatch group. In fact, their ransomware doesn’t carry any sort of spyware or stealer virus, which is typically used for this purpose. That is good news for the corporations - the less the ransom amount is - the better the company will go through these problems. By the way, typical amounts of ransom are from $2,000 to $15,000 - less than other corporations-oriented ransomware groups ask.
Here is the typical ransom note for Snatch ransomware:
Funny facts and easter eggs
The name of this ransomware group is not just a randomly chosen word. Based on the first cases, where the contact email was [email protected], we can suppose that fraudsters give a reference to Guy Ritchie’s film “Snatch”. Boris The Blade was one of the heroes in this film, with an ability to keep going after numerous shots and beatings. Bullet Tooth Tony - the nickname used by one of the developers on the Darknet forum (you can see the screenshots above) - is also a reference to another character from the “Snatch”.