Skip to content
Detecteam
  • CompanyExpand
    • Founders Story
    • The Team
  • ProductExpand
    • About Us
  • SolutionsExpand
    • Use Cases
  • ResourcesExpand
    • Detecteam Blogs
    • Contact Us
Twitter Linkedin
Detecteam
Blog · Scenario

Snatch Ransomware

Avatar photoByDetecteam 2023-10-192023-10-19

TLP

TLP CLEAR

Author

Jordi M. Lobo

Summary

In a recent cyber attack, the Snatch Team used RDP brute force to infiltrate a network and rapidly executed a series of sophisticated actions within a short time frame. They gained initial access by logging into a Domain Administrator (DA) account, performed various commands, and initiated an RDP session with a Domain Controller (DC). On the DC, they deployed a toolset that included executables masquerading as Windows Management Instrumentation files and created an RDP tunnel through TOR. They established a Meterpreter reverse shell and maintained communication via HTTPS. The attack involved creating persistent scheduled tasks and exfiltrating sensitive data. Ultimately, they encrypted all domain systems, demanding a ransom for decryption. Recovery in such cases poses significant challenges for large organizations. Despite their manual approach, the attackers proved to be effective and demanded a substantial ransom.

TIMELINE

DATA

We are providing data for attacks weekly hoping to contribute raising awareness to threats from their data.

windows_sysmon.xml.zipDownload

CATEGORY

Ransomware

references

  • https://thedfirreport.com/2020/06/21/snatch-ransomware/
  • https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/

MITRE ATT&CK

Post Tags: #T1003.001 - LSASS Memory#T1021.001 - Remote Desktop Protocol#T1027 - Obfuscated Files or Information#T1036.004 - Masquerading as Legitimate Application#T1046 - Network Service Discovery#T1069 - Permission Groups Discovery#T1070.004 - File Deletion#T1071 - Application Layer Protocol#T1071.001 - Web Protocols#T1078 - Valid Accounts#T1078.002 - Domain Accounts#T1110.001 - Brute Force: Password Guessing#T1112 - Modify Registry#T1133 - External Remote Services#T1219 - Remote Access Software#T1486 - Data Encrypted for Impact#T1583.003 - Virtual Private Server
Avatar photo
Detecteam
X

Detecteam is transforming cybersecurity detection from static rule-writing to autonomous, continuous validation. Our REFLEX platform automates the detection lifecycle—building, testing, validating and deploying detections in minutes, not months. We help enterprises maximize ROI on existing tools, close high-risk detection gaps faster, and scale security outcomes without scaling headcount. This is the future of detection-as-code, and we’re leading it.

CONTACT US

Detecteam Inc.
300 Lenora Street PMB 659
Seattle, WA 98121 USA
+1 (650) 542-0831
sales@detecteam.com

  • Privacy Policy

SOCIAL MEDIA

Twitter Linkedin
OUR NEWSLETTER

Check your inbox or spam to confirm your subscription.

© 2025 Detecteam Inc. All Rights Reserved.

  • Company
    • Founders Story
    • The Team
  • Product
    • About Us
  • Solutions
    • Use Cases
  • Resources
    • Detecteam Blogs
    • Contact Us
Search