Snatch

Snatch is a ransomware and data-extortion threat actor, also referred to as “Snatch Team,” active since at least 2018. The group operates as ransomware-as-a-service and has been observed targeting enterprise environments in opportunistic attacks across the United States, Canada, and several European countries, with reporting also noting incidents involving Korean companies and a claimed 2021 breach of Volvo Cars in which stolen R&D data was leaked on the group’s extortion portal. Sophos reporting describes Snatch’s intrusion model as initial access via brute-force attacks against internet-exposed services, especially RDP, followed by human-operated post-compromise activity over days or weeks. Observed tradecraft includes reconnaissance, credential theft, lateral movement, surveillance deployment, and data exfiltration. In one investigated case, the attackers brute-forced an administrator account on a Microsoft Azure server, pivoted to a domain controller, and deployed surveillance tooling to about 200 machines. Reported tooling included a ransomware component, a separate data stealer, a Cobalt Strike reverse shell, and legitimate administrative or dual-use tools such as Advanced Port Scanner, PsExec, Process Hacker, IObit Uninstaller, and PowerTool, often used to disable antivirus products. Sophos also identified a suspected custom exfiltration tool, Update_Collector.exe. A distinctive Snatch technique is forcing Windows systems to reboot into Safe Mode before encryption, likely to evade endpoint protections that do not run in Safe Mode. The ransomware is written in Go, targets Windows 7 through Windows 10 in 32-bit and 64-bit versions, and has been reported packed with UPX. It installs itself as a Windows service named SuperBackupMan, modifies SafeBoot registry keys to ensure execution in Safe Mode, uses bcdedit.exe to force a Safe Mode reboot, then uses net.exe to stop its service and vssadmin.exe to delete Volume Shadow Copies before encrypting local files. Encrypted files receive a pseudorandom five-character extension, and ransom note filenames include that same code. The operators have been linked in reporting to Russian-language criminal forum activity. A suspected member using the handle BulletToothTony sought affiliates with access via RDP, VNC, TeamViewer, web shells, and SQL injection, and offered training, infrastructure, and customized Metasploit servers. Earlier ransom notes used the email address imBoristheBlade@protonmail.com. The handles Boris the Blade and Bullet Tooth Tony were noted as references to characters from the film Snatch. Beyond encryption, Snatch is described as a data-extortion actor that publicly pressures victims. Sophos reported that the group regularly names specific individuals as “responsible” for data breaches on its leak site. Separate reporting also noted a Snatch operator warning on Telegram, after the LockBit disruption, that ransomware-as-a-service operators were all at risk. Known aliases and related names directly mentioned in the content include Snatch Team and Snatch.