View all newsletters
Receive our newsletter - data, insights and analysis delivered to you

Ransomware gang Snatch claims attack on Briars Group and two other organisations

The gang employs unusual and dangerous tactics to access target systems, security researchers have warned.

By Claudia Glover

Ransomware gang Snatch claims to have infiltrated three businesses, posting their details on its dark web victim blog. They include London-based Briars Group and international molecular diagnostics company EliTech. The gang’s modus operandi is to force a target system to reboot in ‘safe mode’, where antivirus software does not run, making it easier to access valuable information.

A ransomware gang named after the classic film Snatch has posted three victims to its dark web blog. (Photo by Daniel Smith/Getty Images)

Researchers have warned that the dangers of Snatch’s techniques “cannot be overstated”.

Snatch ransomware gang’s three victims

The first victim is EliTech group, based in Paris. The organisation is a global in-vitro diagnostics company with laboratories in more than 100 countries around the world and over 650 employees. It sells diagnostic instruments and software to its global partners, meaning there may be danger of a supply chain attack were the ransomware gang able to garner access to the software provided by the company.

Another victim, the Briars Group, is a London-based consultancy which helps businesses expand overseas, while the third, Mount Desert Hospital in Maine, serves three towns in the US state.

Details of the attacks are light on the blog, as the posts do not state how much data has been seized or when the deadline is to participate in negotiations with the gang. Only the name of the companies alongside a brief bio has been posted. 

Tech Monitor has contacted the three targeted organisations but has received no response at the time of writing. 

Snatch ransomware’s tactics have researchers worried

The gang’s tactics are notorious and known to be effective and devastating. Researchers at cybersecurity company Sophos say it employs a unique tactic where it forces target devices to reboot in safe mode, a stripped-down, diagnostic mode of a device’s operating system.

Content from our partners
Unlocking growth through hybrid cloud: 5 key takeaways
How businesses can safeguard themselves on the cyber frontline
How hackers’ tactics are evolving in an increasingly complex landscape

Safe mode does not run any software downloaded to the device, including antivirus, leaving the cybercriminals free to access the system, to steal and encrypt as much data as they need to carry out a ransomware attack.

“SophosLabs feels that the severity of the risk posed by ransomware which runs in Safe Mode cannot be overstated,” explains the report. “We needed to publish this information as a warning to the rest of the security industry, as well as to end users,” the researchers explained.

The gang typically carries out double extortion tactics, where hackers will steal sensitive data to bribe the victim company, while encrypting as much data as they can to prevent the organisation from operating. Both attacks provide pressure on the target to pay, both for the decryption key and to prevent sensitive data being leaked onto the dark web.

Security company Coveware, which specialised in extortion negotiations between ransomware victims and their attackers, has assisted 12 victims of the gang. The ransom demanded has typically been between $2,000 and $35,000 in Bitcoin.

Snatch is Russian speaking and has been running since 2018. Sophos says in another report that the gang is named after the Guy Ritchie film of the same name which came out in 2000, starring Brad Pitt.

The cybercriminal group has also confirmed an attack in February on the Northern Carolina city of Modesto. Several outlets in the city reported that the Modesto attack crippled police laptops, forcing the police department to revert to radios and write down the details of dispatch calls by hand.

Read more: Hackers exploit MOVEit file transfer vulnerability

Topics in this article :
Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.