Unmasking Snatch: A Deep Dive into the Darknet's Leaky Ransomware Group

In a striking revelation by Brian Krebs of KrebsOnSecurity, it was discovered that the Snatch ransomware group's darknet site was inadvertently revealing sensitive information about its users and the group's internal activities. This blog post will delve deeper into Snatch's history, its supposed founder, and their persistent claims of mistaken identity with an older ransomware group bearing the same name.

A joint advisory released on September 20, 2023, by the FBI and the U.S. Cybersecurity and Infrastructure Security Administration (CISA) identified Snatch as originally being called Team Truniger. The group was named after its founder and organizer, Truniger. The advisory also outlined Truniger's previous affiliation with GandCrab, a now-defunct ransomware-as-a-service offering that is believed to have extorted upwards of $2 billion from its victims before closing down in July 2019. It's speculated that GandCrab later morphed into "REvil," a notorious Russian ransomware group.

The advisory also highlighted Snatch's unique ransomware variant that restarts Microsoft Windows devices into Safe Mode. This approach cleverly bypasses antivirus or endpoint protection and encrypts files when fewer services are in operation. Snatch has reportedly been purchasing previously stolen data from other ransomware variants to further exploit victims into paying a ransom to prevent their data from being released on Snatch's extortion blog.

Flashpoint, a cyber intelligence firm based in New York City, claimed that Snatch was created by Truniger in 2018. He recruited pen testers from Russian language cybercrime forums, public Russian programming boards, and even Facebook. Truniger was later banned from two leading Russian cybercrime forums, where members confirmed that Semen7907 was one of Truniger’s known aliases.

Interestingly, the FBI/CISA alert acknowledged that the current operators of Snatch's domains refer to themselves as the Snatch Team and claim they are not the same group as the 2018 Snatch Ransomware. The Snatch Team insists they only deal in stolen data and do not deploy ransomware malware to hold systems hostage. They've also claimed they were unaware that a ransomware group named Snatch already existed when they formed their group two years ago.

However, it begs the question as to why they are using the same domain names that the Snatch ransomware group used. If they were truly looking for a fresh start or a separation from the past, why not simply adopt a new name and web destination? The claims made by the Snatch Team thus remain suspicious.While the Snatch Team may believe that stealing data and extorting companies for money is less harmful than infecting servers and backups with ransomware, it seems more likely they are aware of how poorly some of their founders covered their tracks online and are hoping for a fresh start in that respect.

Know more. Investigate better.