Snatch Ransomware

Summary

In a recent cyber attack, the Snatch Team used RDP brute force to infiltrate a network and rapidly executed a series of sophisticated actions within a short time frame. They gained initial access by logging into a Domain Administrator (DA) account, performed various commands, and initiated an RDP session with a Domain Controller (DC). On the DC, they deployed a toolset that included executables masquerading as Windows Management Instrumentation files and created an RDP tunnel through TOR. They established a Meterpreter reverse shell and maintained communication via HTTPS. The attack involved creating persistent scheduled tasks and exfiltrating sensitive data. Ultimately, they encrypted all domain systems, demanding a ransom for decryption. Recovery in such cases poses significant challenges for large organizations. Despite their manual approach, the attackers proved to be effective and demanded a substantial ransom.