Snatch Ransomware is a ransomware operation attributed to eCrime, active since 2018. Ransomware using Safe Mode reboot to evade detection. Key capabilities include: Safe Mode reboot evasion, data exfiltration marketplace.
Overview & Operations
Ransomware using Safe Mode reboot to evade detection. The group has been active since 2018 and operates as part of the broader ransomware-as-a-service ecosystem. Notable technical characteristics include: Safe Mode reboot evasion, data exfiltration marketplace.
Snatch Ransomware employs double extortion tactics — encrypting victim data while simultaneously exfiltrating sensitive information for leverage. Organizations that refuse to pay face public data exposure on the group's leak site.
- Operator: eCrime
- Active since: 2018
- Tooling: Safe Mode reboot evasion, data exfiltration marketplace
- Extortion model: Double extortion (encryption + data leak)
Tactics, Techniques & Procedures
Snatch operators typically gain initial access through phishing, exploiting public-facing applications (VPN, RDP, Exchange), or purchasing access from initial access brokers (IABs). Post-compromise, they deploy Cobalt Strike or similar C2 frameworks for lateral movement before deploying the ransomware payload.
- Initial access: Phishing, vulnerability exploitation, RDP brute force, IAB purchases T1566.001 T1190
- Execution: PowerShell, WMI, PsExec for payload deployment T1059.001
- Persistence: Scheduled tasks, service creation, registry modifications T1053.005
- Defense evasion: Security tool tampering, Safe Mode exploitation, BYOVD T1562.001
- Lateral movement: RDP, SMB, WMI, admin shares T1021.002
- Exfiltration: Custom exfiltration tools, cloud storage, Rclone T1567
- Impact: File encryption with custom encryptor T1486
MITRE ATT&CK Mapping
| Tactic | Technique | Usage |
|---|---|---|
| Initial Access | T1190 Exploit Public-Facing App | VPN/RDP/Exchange exploitation |
| Execution | T1059.001 PowerShell | Post-exploitation scripting |
| Persistence | T1053.005 Scheduled Task | Persistence mechanism |
| Defense Evasion | T1562.001 Disable Security Tools | EDR/AV tampering |
| Credential Access | T1003.001 LSASS Memory | Credential dumping |
| Lateral Movement | T1021.002 SMB/Admin Shares | Network propagation |
| Exfiltration | T1567 Exfil Over Web Service | Data theft before encryption |
| Impact | T1486 Data Encrypted for Impact | Ransomware deployment |
Detection & Defense
- Backup strategy: Maintain offline, immutable backups with tested restoration procedures
- Network segmentation: Limit lateral movement paths between critical systems
- EDR deployment: Behavioral detection for ransomware indicators (mass file modification, shadow copy deletion)
- MFA enforcement: Protect RDP, VPN, and admin portals with phishing-resistant MFA
- Patch management: Prioritize VPN, Exchange, and remote access vulnerabilities
- Threat intelligence: Monitor for Snatch IOCs and dark web activity
Protect Against Snatch Ransomware
Mjolnir Security provides ransomware prevention, detection, and response services against Snatch Ransomware and similar threats.
- Ransomware Readiness Assessment Evaluate your organization's resilience against Snatch and similar ransomware operations with gap analysis and remediation recommendations.
- Ransomware Incident Response Rapid containment, negotiation support, and forensic investigation when ransomware strikes.
- 24/7 Incident Response Rapid containment and forensic investigation. Call +1 833 403 5875.
Stay ahead of emerging threats. Get notified when we publish new intelligence reports and advisories.
Subscribe to Alerts