Ransomware gang targeting defense firms, FBI warns

The Snatch ransomware group has been learning from others to improve its own ploys, including data theft and double extortion, cyber authorities say.

A five-year-old ransomware gang is upping its game against U.S. defense firms and other companies, the FBI and Cybersecurity and Infrastructure Security Agency said Thursday.

A joint advisory says the Snatch group has been learning from others to improve its own ransomware, which locks up a victim's computers until a ransom is paid, and also allows the group to steal sensitive data and threaten to post it online, a ploy called double extortion. 

The five-year old group is known for innovative and stealthly work, according to James McQuiggan, security awareness advocate at KnowBe4. 

"Like many other ransomware groups, they like to dwell within the networks, soaking up as much data and intel about the organization," McQuiggan told Nextgov/FCW, a Defense One sister publication. "These actions reiterate the need for rapid threat detection and response before ransomware executes."

The group's members typically exploit weaknesses found in Remote Desktop Protocol and use compromised credentials to gain initial access to victims' networks, the advisor said. They can be patient as well; the group has been seen to wait three months after the initial break-in to start stealing data.

The advisory recommends that organizations limit users' access privileges, perform regular patching and segmentation, maintain consistent backups, regularly audit remote access tools on their networks, and review logs for execution of remote access software.  

CISA and the FBI said they "strongly discourage paying ransom" and encouraged victims to report ransomware incidents to the bureau's local field offices and the cyber defense agency's reporting channel. 

CISA and the FBI have previously released similar advisories warning about ransomware groups targeting software and networks used by federal agencies, including the ransomware gang known as CL0P, which exploited a vulnerability in the popular file transfer service MOVEit earlier this year.