Skip to content
Ransomware group

SNATCH

Snatch is a Windows ransomware family and ransomware-as-a-service (RaaS) operation active since at least 2018.

Profile source: Mallory opens in a new tab

SNATCH

Family profile

Snatch is a Windows ransomware family and ransomware-as-a-service (RaaS) operation active since at least 2018. It is notable for rebooting infected Windows systems into Safe Mode before encrypting files, a technique intended to bypass endpoint protection because many security products do not run in Safe Mode. Sophos reported the malware is written in Go, packed with UPX, targets Windows 7 through Windows 10 in both 32-bit and 64-bit versions, and installs itself as a Windows service named SuperBackupMan. It adds the registry key HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SuperBackupMan with value Default:Service, uses bcdedit.exe to force a Safe Mode reboot, then in Safe Mode stops its service with net.exe, deletes Volume Shadow Copies with vssadmin.exe, and encrypts local files. Encrypted files receive a pseudorandom five-character alphanumeric extension, and ransom notes were observed as README_ABCDE_FILES.txt or DECRYPT_ABCDE_DATA.txt. Earlier samples used the email address imBoristheBlade@protonmail.com, and the binaries contain hardcoded OpenPGP public key blocks.

Snatch operators were linked by Sophos to the self-described "Snatch Team," including a suspected member using the handle BulletToothTony who recruited affiliates with access via RDP, VNC, TeamViewer, web shells, and SQL injection. Sophos observed initial access primarily through brute-forced internet-exposed RDP, followed by days or weeks of reconnaissance, credential theft, lateral movement, and data exfiltration using custom tooling, Cobalt Strike, PsExec, Advanced Port Scanner, Process Hacker, IObit Uninstaller, and PowerTool. In one case, attackers brute-forced an administrator account on a Microsoft Azure server, pivoted to a domain controller, deployed surveillance tooling to about 200 machines, collected WMI data, process lists, and LSASS memory contents, and uploaded data to command-and-control infrastructure. Snatch has also been described as one of the earlier ransomware operations to steal data and threaten publication, and FBI/CISA reporting states the group uses double extortion.

Additional reporting states Snatch has been delivered as a secondary payload by the Get2 downloader in TA505 campaigns. The malware family has also been observed using Namecoin .bit domains as part of its C2 infrastructure. Public reporting cited in the content notes victims in the United States, Canada, and several European countries, and an FBI/CISA joint advisory was issued covering Snatch RaaS tactics, techniques, procedures, mitigations, and indicators of compromise.

Ransomware.live

Operational record

View group record ↗

LOLBAS

  • BCDEdit
  • ServiceControl (sc.exe)

Offsec

  • Cobalt Strike
  • Meterpreter

Reported operators

Threat actors

2 named in public reporting
TA505

Get2 was, in turn, observed downloading FlawedGrace, FlawedAmmyy, Snatch, and SDBbot (a new RAT) as secondary payloads.

Snatch

The ransomware, which calls itself Snatch, sets itself up as a service that will run during a Safe Mode boot. It quickly reboots the computer into Safe Mode, and in the rarefied Safe Mode environment, where most software (including security software) doesn’t run, Snatch encrypts the victims’ hard drives.

MITRE ATT&CK

SNATCH in ATT&CK

26 distinct techniques

Reporting

Research mentioning SNATCH

Mar 22
Sdsg

ESETの公開した90種類以上のEDR Killerを調査した記事を読んで思ったこと - Slapdash Safeguards

この状態でランサムウェアを実行するのを仕組化して悪用したのがSnatch。

Jan 1
Sophos Threat Research

Snatch ransomware reboots PCs into Safe Mode to bypass protection | SOPHOS

The ransomware, which calls itself Snatch, sets itself up as a service that will run during a Safe Mode boot. It quickly reboots the computer into Safe Mode, and in the rarefied Safe Mode environment, where most software (including security software) doesn’t run, Snatch encrypts the victims’ hard drives.

Aug 5
Medium Markmotig

Bypass AV/EDR with Safe Mode?. Guess what might not be running in safe… | by Mark Mo - Fashionproof | Medium

I learned about this technique reading about snatch ransomware. ... Snatch ransomware reboots PCs into Safe Mode to bypass protection

Jun 10
Tanium

CTI Roundup: FBI and CISA Issue a Joint Advisory for Snatch RaaS | Tanium

FBI and CISA issued a joint advisory for Snatch RaaS.

Apr 3
Trend Micro Research

Unveiling the Fallout: Operation Cronos' Impact on LockBit Following Landmark Disruption | Trend Micro (US)

Notably, competitor RaaS groups expressed much interest in learning about how LockBit was infiltrated. A Snatch RaaS operator also pointed out on their Telegram channel that they were all at risk.

Mar 25
Mandiant Threat Intelligence

How the Rise of Cryptocurrencies Is Shaping the Cyber Crime Landscape: Blockchain Infrastructure Use | Mandiant | Google Cloud Blog

Malware families that we have observed using Namecoin domains as part of their C2 infrastructure include: ... SNATCH ...

Jan 25
Dragos

Dragos Industrial Ransomware Analysis: Q4 2023 | Dragos

...Rhysida, Snatch, and Trigona: less than one percent each (2 incidents each)

Jan 20
Coveware

Improved Security and Backups Result in Record Low Number of Ransomware Payments

In 2022, the same list grew to include some well known closed Ransomware-as-a-service (RaaS) variants that typically target mid-market and larger enterprises: Phobos Dharma Quantum Artemis BlackByte Vice Society Conti Hive Lone Wolf Actors Snatch

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.