Snatch ransomware [1] [2] [4], a ransomware-as-a-service (RaaS) operation [2] [4], has been active since at least 2018 and is currently targeting critical infrastructure sectors [4], including the IT sector [4], the US defense industrial base [4], and the food and agriculture vertical [4].


The threat actors behind Snatch have been evolving their tactics and leveraging successes of other ransomware variants [4]. They have been observed purchasing stolen data from other ransomware groups to further exploit victims into paying a ransom [4]. Snatch is notable for its ability to force Windows systems to reboot into Safe Mode [4], allowing it to encrypt files without being detected by antivirus tools [4]. The ransomware also has a data encryption capability and a component for stealing data from compromised systems [4]. Snatch operators often target weaknesses in the Remote Desktop Protocol (RDP) or use stolen or purchased credentials to gain initial access to a network [4]. North American organizations have been the primary targets of Snatch attacks [4].

Recent victims of Snatch ransomware attacks include the Florida Department of Veteran’s Affairs [1], Zilli [1], CEFCO Inc. [1], the South African Department of Defense [1], and the Briars Group Ltd. [1] Snatch threat actors conduct ransomware operations that involve data exfiltration and double extortion [3]. After exfiltrating data and demanding ransom [3], they may threaten victims with posting their data on Snatch’s extortion blog if the ransom is not paid [3]. The FBI and CISA have released a joint advisory on the Snatch ransomware [2], providing indicators of compromise and tactics associated with this variant [2]. Snatch threat actors operate as a ransomware-as-a-service model and adapt their tactics based on current cybercriminal trends [2]. Organizations are encouraged to review the advisory for recommended steps to reduce the likelihood and impact of Snatch ransomware incidents [2]. To report incidents or anomalous activity [2], contact the local FBI field office or CISA [2].


The Snatch ransomware poses a significant threat to critical infrastructure sectors, with its evolving tactics and ability to bypass antivirus tools. The recent victims highlight the severity of the attacks, with data exfiltration and double extortion being key components. The joint advisory from the FBI and CISA provides valuable information for organizations to mitigate the risks associated with Snatch ransomware. It is crucial for organizations to stay vigilant, review the advisory [2], and report any incidents or suspicious activity to the appropriate authorities.