On September 20, 2023, the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) released a joint Cybersecurity Advisory (CSA) detailing the identification of Indicators of Compromise (IOCs) and Tactics, Techniques, and Procedures (TTPs) associated with the Snatch ransomware variant identified through FBI investigations as recently as June 1, 2023.
This joint CSA is a continuation of CISA’s ongoing #StopRansomware effort to arm defenders with the intelligence they need to combat different ransomware variants and ransomware threat actors.
Snatch is a ransomware family operated under the Ransomware-as-a-Service (RaaS) business model that has been active since 2018. The ransomware is known for forcing compromised devices to restart in Safe Mode and for configuring itself as a service that will be run in the same. While in the Safe Mode environment, where most security software does not run, Snatch will proceed to encrypt the victim’s files.
Prior to encryption, Snatch will perform collection and exfiltration activities of relevant information with the purpose of conducting a Double-Extortion attack. In this way, the perpetrator establishes communications with the victim demanding the payment of the ransom and if the victim does not comply with the demands, the adversary will proceed to publish the stolen information on the group’s blog.
Since 2021, Snatch threat actors have consistently evolved their tactics to take advantage of current trends in the cybercriminal space and leveraged the successes of other ransomware variants’ operations. Snatch threat actors have targeted a wide range of critical infrastructure sectors including the Defense Industrial Base (DIB), Food and Agriculture, and Information Technology sectors.
AttackIQ has released a new attack graph that emulates all the observed capabilities of Snatch Team since its discovery in 2018 to help customers validate their security controls and their ability to defend against this determined adversary.
Validating your security program performance against these behaviors is vital to reducing risk. By using this new attack graph in the AttackIQ Security Optimization Platform, security teams will be able to:
- Evaluate security control performance against an adversary that continues to conduct industry-wide ransomware activities.
- Assess their security posture against activities focused on both exfiltration and encryption of sensitive information.
- Continuously validate detection and prevention pipelines against a playbook similar to those of many of the groups currently focused on ransomware activities.
[CISA AA23-263A] #StopRansomware: Snatch Ransomware
On September 20, 2023, the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) released a joint Cybersecurity Advisory (CSA) detailing the identification of Indicators of Compromise (IOCs) and Tactics, Techniques, and Procedures (TTPs) associated with the Snatch ransomware variant identified through FBI investigations as recently as June 1, 2023.
The first stage of this attack begins with the discovery of local system information, such as its network configuration and users, and continues with the deployment of the x3.exe loader, which is then used to deploy a Metasploit sample.
System Network Configuration Discovery (T1016): The network configuration of the asset is collected using standard Windows utilities like ipconfig
, arp
, route
, and nltest
.
System Owner/User Discovery (T1033): query user
and whoami
are called to gain details about the currently available accounts.
Ingress Tool Transfer (T1105): This scenario downloads to memory and saves to disk in two separate scenarios to test network and endpoint controls and their ability to prevent the delivery of known malicious payloads.
Scheduled Task/Job: Scheduled Task (T1053.005): This scenario creates a new scheduled task using the schtasks
utility.
The second stage of the attack began with the use of the Named Pipe Impersonation technique, which continued with the dumping of the Local Security Authority Subsystem Service (LSASS) process and concluded with the exfiltration of the generated file dump.
Access Token Manipulation: Token Impersonation/Theft (T1134.001): This scenario uses the named pipe impersonation method leveraged by Cobalt Strike to escalate privileges.
OS Credential Dumping: LSASS Memory (T1003.001): LSASS memory is dumped to disk by creating a minidump of the lsass
process.
Exfiltration Over Unencrypted Non-C2 Protocol (T1048.003): This scenario compresses a LSASS minidump file and exfiltrates it in un-encrypted HTTP traffic to an external server.
This stage focuses on gathering additional information from the compromised system, both from the system in general through Windows Management Instrumentation (WMI) and its active processes through the “Tasklist” command. Subsequently, it will attempt to retrieve network information by performing a scan for TCP port 3389 in order to move laterally via Remote Desktop Protocol (RDP).
System Information Discovery (T1082): This scenario executes a WMI command to learn information regarding the system’s OS.
Process Discovery (T1057): Window’s built-in tasklist
command is executed as a command process and the results are saved to a file in a temporary location.
Network Service Discovery (T1046): This scenario uses nmap
for scanning hosts that are open on port 3389
that would identify remotely accessible hosts to the attacker.
Remote Services: Remote Desktop Protocol (T1021.001): Remote Desktop is the built-in remote access utility used by Windows. This scenario attempts to remotely connect to another accessible asset with stolen credentials.
This stage focuses on disabling and bypassing Windows Defender and the local Firewall through the use of “Defender Control”, a small tool that allows the user to disable Windows Defender completely in Windows 10.
Initially, this stage will attempt to obtain information related to the service associated with Windows Defender through the sc query WinDefend command. Afterwards, the tool will disable Windows Defender and Firewall through modifications in the registry. Finally, it will disable the WinDefend service from initializing during the next bootup of the host.
System Service Discovery (T1007): This scenario will execute the native sc
utility to get the status of the Windows Defender Antivirus service.
Impair Defenses: Disable or Modify Tools (T1562.001): The registry key HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware
is set to 1 which will disable Windows Defender from being enabled at the next reboot.
Service Stop (T1489): This scenario modifies the registry value Start
under the key HKLM\System\ControlSet001\Services\WinDefend
for the Windows Defender service to not be enabled on next reboot.
Modify Registry (T1112): This scenario modifies the registry value EnableFirewall
to turn the Windows Firewall Protection off.
This stage consists of the deployment of safe.exe, a Go-based executable used to release Batch (BAT) files for the purpose of initializing the system encryption process. Then, safe.exe proceeds with the creation of a new service on the system, named mXoRpcSsx, and continues with the discovery of files and directories of interest to the adversary prior to their exfiltration.
Create or Modify System Process: Windows Service (T1543.003): Creates a new service called mXoRpcSsx
using the native sc.exe
utility.
File and Directory Discovery (T1083): This scenario uses the native dir
command to find files of interest and output to a temporary file.
Exfiltration Over C2 Channel (T1041): A large amount of data is sent to an AttackIQ controlled server using HTTP POST
requests.
In the sixth and final stage of the attack, the adversary begins with a query to the registry in order to retrieve information regarding the system’s boot options. Then, it uses the registry to force the service created in the previous stage to initialize in Safeboot mode.
Finally, “vssadmin.exe” will be used to delete Volume Shadow Copies and the emulation will conclude with the encryption of system files using AES-256.
Query Registry (T1012): The HKLM\SYSTEM\CurrentControlSet\Control
registry key is queried to check the SystemStartOptions
value.
Impair Defenses: Safe Mode Boot (T1562.009): This scenario will attempt, through the registry, to force the initialization of a service if the system is started in SafeBoot mode.
Inhibit System Recovery (T1490): Runs vssadmin.exe
to delete a recent Volume Shadow Copy created by the attack graph.
Data Encrypted for Impact (T1486): This scenario performs the file encryption routines used by common ransomware families. Files matching an extension list are identified and encrypted in place using the same encryption algorithm used by Snatch ransomware.
Detection and Mitigation Opportunities
Given the number of different techniques being utilized by this adversary, it can be difficult to know which to prioritize for prevention and detection opportunities. AttackIQ recommends first focusing on the following techniques emulated in our scenarios before moving on to the remaining techniques.
1. Review CISA’s Patching and Detection Recommendations:
CISA has provided a significant number of recommendations for the best ways to defend yourself from these and similar attacks. AttackIQ strongly recommends reviewing the detection and mitigation recommendations with the goal of adapting them to your environment first to determine if you have any existing impact before reviewing the attack graph results.
2. Scheduled Task/Job: Scheduled Task (T1053.005)
Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code. There are multiple ways to access the Task Scheduler in Windows. The schtasks utility can be run directly from the command line, or the Task Scheduler can be opened through the GUI within the Administrator Tools section of the Control Panel.
2a. Detection
With an EDR or SIEM Platform, you can detect the following commands being issued to schedule a malicious task
Process Name = (“cmd.exe” OR “Powershell.exe”)
Command Line CONTAINS (“schtasks” AND “/CREATE” AND (“cmd” OR “powershell”)
2b. Mitigation
MITRE ATT&CK has the following mitigation recommendations for Scheduled Task
- M1047 – Audit
- M1028 – Operating System Configuration
- M1026 – Privileged Account Management
- M1018 – User Account Management
3. Inhibit System Recovery (T1490)
Adversaries often delete Volume Shadow Copies to prevent the possibility of restoring files back to their original state. This is a common technique used by ransomware as it prevents the recovery of files once the ransomware encryption routine successfully completes execution.
3a. Detection
Detecting deletion of Volume Shadow Copies is usually the first step that occurs and can be detected by looking at the command line activity
Process Name == (cmd.exe OR powershell.exe)
Command Line CONTAINS (“vssadmin” AND “Delete Shadows”)
3b. Mitigation
MITRE ATT&CK has the following mitigation recommendations for Inhibit System Recovery
Wrap-up
In summary, this attack graph will evaluate security and incident response processes and support the improvement of your security control posture against the activities carried out by the operators of this ransomware. With data generated from continuous testing and use of this attack graph, you can focus your teams on achieving key security outcomes, adjust your security controls, and work to elevate your total security program effectiveness against a known and dangerous threat.
AttackIQ stands at the ready to help security teams implement this attack graph and other aspects of the AttackIQ Security Optimization Platform, including through our fully managed service, AttackIQ Ready!, and our co-managed security service, AttackIQ Enterprise.