Ransomware gang Snatch claims to have infiltrated three businesses, posting their details on its dark web victim blog. They include London-based Briars Group and international molecular diagnostics company EliTech. The gang’s modus operandi is to force a target system to reboot in ‘safe mode’, where antivirus software does not run, making it easier to access valuable information.
Researchers have warned that the dangers of Snatch’s techniques “cannot be overstated”.
Snatch ransomware gang’s three victims
The first victim is EliTech group, based in Paris. The organisation is a global in-vitro diagnostics company with laboratories in more than 100 countries around the world and over 650 employees. It sells diagnostic instruments and software to its global partners, meaning there may be danger of a supply chain attack were the ransomware gang able to garner access to the software provided by the company.
Another victim, the Briars Group, is a London-based consultancy which helps businesses expand overseas, while the third, Mount Desert Hospital in Maine, serves three towns in the US state.
Details of the attacks are light on the blog, as the posts do not state how much data has been seized or when the deadline is to participate in negotiations with the gang. Only the name of the companies alongside a brief bio has been posted.
Tech Monitor has contacted the three targeted organisations but has received no response at the time of writing.
Snatch ransomware’s tactics have researchers worried
The gang’s tactics are notorious and known to be effective and devastating. Researchers at cybersecurity company Sophos say it employs a unique tactic where it forces target devices to reboot in safe mode, a stripped-down, diagnostic mode of a device’s operating system.
Safe mode does not run any software downloaded to the device, including antivirus, leaving the cybercriminals free to access the system, to steal and encrypt as much data as they need to carry out a ransomware attack.
“SophosLabs feels that the severity of the risk posed by ransomware which runs in Safe Mode cannot be overstated,” explains the report. “We needed to publish this information as a warning to the rest of the security industry, as well as to end users,” the researchers explained.
The gang typically carries out double extortion tactics, where hackers will steal sensitive data to bribe the victim company, while encrypting as much data as they can to prevent the organisation from operating. Both attacks provide pressure on the target to pay, both for the decryption key and to prevent sensitive data being leaked onto the dark web.
Security company Coveware, which specialised in extortion negotiations between ransomware victims and their attackers, has assisted 12 victims of the gang. The ransom demanded has typically been between $2,000 and $35,000 in Bitcoin.
Snatch is Russian speaking and has been running since 2018. Sophos says in another report that the gang is named after the Guy Ritchie film of the same name which came out in 2000, starring Brad Pitt.
The cybercriminal group has also confirmed an attack in February on the Northern Carolina city of Modesto. Several outlets in the city reported that the Modesto attack crippled police laptops, forcing the police department to revert to radios and write down the details of dispatch calls by hand.