Snatch Ransomware Alert

Cyber Security Threat Summary:
Snatch is a ransomware group primarily targeting Windows-based systems. They employ various tactics, including exploiting vulnerabilities, brute force attacks, and data exfiltration to compromise and extort victims. Snatch operates under a ransomware-as-a-service (RaaS) model and has targeted critical infrastructure sectors such as Defense Industrial Base (DIB), Food and Agriculture, and Information Technology. The group utilizes a customized ransomware variant known for rebooting devices into Safe Mode to evade detection. They engage in double extortion, threatening victims with data exposure if ransoms are not paid. Recent reports indicate the existence of an extortion site associated with Snatch.

Security Officer Comments:
Snatch poses a significant threat to Windows-based systems, and its adaptation to current cybercriminal trends, use of double extortion, and willingness to purchase stolen data make it a formidable adversary. Organizations must prioritize robust cybersecurity measures, including regular patching, strong authentication practices, and data backup strategies to mitigate the risk of falling victim to Snatch ransomware attacks.

Suggested Correction(s):

  • Patch and Update: Keep systems and software up-to-date with the latest security patches to minimize vulnerabilities that ransomware groups like Snatch might exploit.
  • Strong Authentication: Enforce strong password policies and implement multi-factor authentication (MFA) to protect against brute force attacks.
  • Data Backup: Regularly back up critical data and ensure backups are isolated from the network to prevent ransomware encryption. Test data restoration procedures.
  • Endpoint Protection: Use reputable antivirus and endpoint protection solutions to detect and block malicious activity.
  • Email Security: Implement email filtering solutions to detect and block phishing emails, which are often used as an initial attack vector.
  • Network Monitoring: Continuously monitor network traffic for suspicious activity, especially over commonly used ports like 443.
  • Access Control: Limit user privileges and access rights to minimize the impact of a potential compromise.
  • Incident Response Plan: Develop and practice an incident response plan to respond effectively in case of a ransomware attack.
Email Domains and Addresses:
  • sezname[.]cz
  • cock[.]li
  • airmail[.]cc
  • tutanota[.]com / tutamail[.]com / tuta[.]io
  • mail[.]fr
  • keemail[.]me
  • protonmail[.]com / proton[.]me
  • swisscows[.]email
Email Addresses:
  • funny385@swisscows[.]email
  • funny385@proton[.]me
  • russellrspeck@seznam[.]cz
  • russellrspeck@protonmail[.]com
  • Mailz13MoraleS@proton[.]me
  • datasto100@tutanota[.]com
TOX Messaging IDs:
  • CAB3D74D1DADE95B52928E4D9DFC003FF5ADB2E082F59377D049A91952E8BB3B419DB2FA9D3F
  • 7229828E766B9058D329B2B4BC0EDDD11612CBCCFA4811532CABC76ACF703074E0D1501F8418
  • 83E6E3CFEC0E4C8E7F7B6E01F6E86CF70AE8D4E75A59126A2C52FE9F568B4072CA78EF2B3C97
  • 0FF26770BFAEAD95194506E6970CC1C395B04159038D785DE316F05CE6DE67324C6038727A58
Folder Creation:


Filenames (SHA-256):

  • qesbdksdvnotrjnexutx.bat: 0965cb8ee38adedd9ba06bdad9220a35890c2df0e4c78d0559cd6da653bf740f
  • eqbglqcngblqnl.bat: 1fbdb97893d09d59575c3ef95df3c929fe6b6ddf1b273283e4efadf94cdc802d
  • safe.exe: 5950b4e27554585123d7fca44e83169375c6001201e3bf26e57d079437e70bcd
  • safe.exe: 7018240d67fd11847c7f9737eaaae45794b37a5c27ffd02beaacaf6ae13352b3
  • safe.exe: 28e82f28d0b9eb6a53d22983e21a9505ada925ebb61382fabebd76b8c4acff7c
  • safe.exe: fc31043b5f079ce88385883668eeebba76a62f77954a960fb03bf46f47dbb066
  • DefenderControl.exe: a201f7f81277e28c0bdd680427b979aee70e42e8a98c67f11e7c83d02f8fe7ae
  • 6992aaad3c47b938309fc1e6f37179eb51f028536f8afc02e4986312e29220c0
  • Setup.exe: 510e9fa38a08d446189c34fe6125295f410b36f00aceb65e7b4508e9d7c4e1d1
  • WRSA.exe: ed0fd61bf82660a69f5bfe0e66457cfe56d66dd2b310e9e97657c37779aef65d
  • ghnhfglwaplf.bat: 2155a029a024a2ffa4eff9108ac15c7db527ca1c8f89ccfd94cc3a70b77cfc57
  • nllraq.bat: 251427c578eaa814f07037fbe6e388b3bc86ed3800d7887c9d24e7b94176e30d
  • ygariiwfenmqteiwcr.bat: 3295f5029f9c9549a584fa13bc6c25520b4ff9a4b2feb1d9e935cc9e4e0f0924
  • bsfyqgqeauegwyfvtp.bat: 6c9d8c577dddf9cc480f330617e263a6ee4461651b4dec1f7215bda77df911e7
  • rgibdcghzwpk.bat: 84e1476c6b21531de62bbac67e52ab2ac14aa7a30f504ecf33e6b62aa33d1fe5
  • pxyicmajjlqrtgcnhi.bat: a80c7fe1f88cf24ad4c55910a9f2189f1eedad25d7d0fd53dbfe6bdd68912a84
  • evhgpp.bat: b998a8c15cc19c8c31c89b30f692a40b14d7a6c09233eb976c07f19a84eccb40
  • eqbglqcngblqnl.bat: 1fbdb97893d09d59575c3ef95df3c929fe6b6ddf1b273283e4efadf94cdc802d
  • qesbdksdvnotrjnexutx.bat: 0965cb8ee38adedd9ba06bdad9220a35890c2df0e4c78d0559cd6da653bf740f

  • Filenames (SHA-1):

    safe.exe: c8a0060290715f266c89a21480fed08133ea2614


  • wmiadap.exe /F /T /R
  • %windir%\System32\svchost.eve –k WerSvcGroup
  • conhost.exe 0xFFFFFFFF -ForceV1
  • vssadmin delete shadows /all /quiet
  • bcdedit.exe /set {current} safeboot minimal
  • REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VSS /VE /T REG_SZ /F /D Service
  • REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mXoRpcSsx /VE /T REG_SZ /F /D Service
  • REG QUERY HKLM\SYSTEM\CurrentControlSet\Control /v SystemStartOptions
  • %CONHOST% "1088015358-1778111623-130642814

  • For more information, MITRE tags / technical analysis please see the attached PDF