Throughout 2024, cybersecurity researchers and threat intelligence analysts have tracked a significant coordinated campaign by the Snatch ransomware group targeting Canadian organizations across healthcare and government sectors. The campaign demonstrates the group's evolving tactics and particular interest in critical infrastructure organizations. Snatch has emerged as one of the more sophisticated ransomware-as-a-service operations, with evidence of careful victim selection, technical sophistication, and operational security practices that distinguish them from many other ransomware gangs.
About the Snatch Ransomware Group
Snatch is a relatively newer but increasingly dangerous ransomware-as-a-service operation that first appeared in 2018. The group has gradually evolved into one of the more sophisticated ransomware operations, characterized by:
- Careful selection of high-value targets in critical sectors
- Extended reconnaissance before attack deployment
- Focus on healthcare and government organizations
- Sophisticated lateral movement and persistence techniques
- Professional operational security and communications
- Technical capability and rapid response to defense measures
- Double extortion tactics combining encryption and data theft
The 2024 Canadian Campaign
In 2024, threat intelligence analysts identified a coordinated campaign by Snatch targeting multiple Canadian organizations. The campaign characteristics include:
- Initial access through compromised credentials or VPN vulnerabilities
- Extensive reconnaissance to identify critical systems and valuable data
- Lateral movement using legitimate credentials and administrative tools
- Data exfiltration before ransomware deployment
- Selective encryption of critical systems while avoiding certain operational systems
- Professional negotiation of ransoms with careful attention to organizational ability to pay
Targeted Sectors in Canada
Snatch has demonstrated particular focus on critical Canadian sectors:
- Healthcare organizations including hospitals and health authorities
- Government agencies at federal and provincial levels
- Financial services and banking infrastructure
- Utilities and critical infrastructure operators
- Large manufacturing and industrial organizations
The targeting of healthcare and government reflects the group's understanding that these sectors face pressure to pay ransoms quickly to restore critical services affecting public welfare.
Attack Methodology
Analysis of Snatch attacks reveals a consistent methodology:
- Initial reconnaissance through public information gathering and network scanning
- Identification of entry points including unpatched systems and weak access controls
- Credential harvesting through phishing or compromised vendor accounts
- Establishment of persistence mechanisms ensuring continued access
- Lateral movement across network to identify critical systems and data
- Extensive reconnaissance of backup and disaster recovery systems
- Careful coordination of data theft and encryption to maximize disruption and pressure
Canadian Defensive Response
Canadian government agencies and organizations have responded to the Snatch campaign with several initiatives:
- Public advisories from Canadian Centre for Cyber Security
- Increased information sharing between government and critical infrastructure operators
- Enhanced monitoring for Snatch indicators of compromise
- Coordination with international law enforcement on investigation
- Guidance to organizations on hardening defenses against Snatch tactics
Key Indicators of Compromise
Organizations can defend themselves by identifying Snatch indicators of compromise:
- Unusual lateral movement using legitimate credentials
- Large data transfers to unusual external destinations
- Modification of backup and recovery configurations
- Deployment of reconnaissance tools (Mimikatz, Bloodhound, etc.)
- Suspicious scheduled task creation and persistence mechanisms
- Unusual administrative activity during off-hours
- Presence of common Snatch tools and variants
Defensive Recommendations
Canadian organizations can strengthen defenses against Snatch and similar groups:
- Implement multi-factor authentication on all critical systems
- Deploy advanced endpoint detection and response (EDR) capabilities
- Maintain offline, immutable backups of critical data
- Implement network segmentation to limit lateral movement
- Conduct regular security awareness training for employees
- Monitor for suspicious lateral movement and data exfiltration
- Develop and test incident response plans specifically for ransomware
- Engage external threat intelligence services to monitor threat actor activity