Ransomware group's evolving tactics pose growing threat

BeeBright/Getty Images

A joint advisory from the FBI and the nation’s cyber defense agency warns that a persistent threat actor is advancing its tactics and targeting critical infrastructure sectors.

The FBI and Cybersecurity and Infrastructure Security Agency released a joint advisory Thursday warning that a ransomware gang is increasingly evolving its tactics while targeting the Defense Industrial Base and critical infrastructure sectors, including Information Technology and food and agriculture. 

The Snatch ransomware group has been advancing its internal operations since 2021, according to the advisory, leveraging recent successes from other threat actors to improve its own skills in data exfiltration and double extortion, where sensitive data from victims is posted onto a publicly-accessible extortion blog. 

The group has remained a persistent threat since 2018 and continues to leverage innovative tactics to evade detection and carry out its attacks, according to James McQuiggan, security awareness advocate at KnowBe4. 

"Like many other ransomware groups, they like to dwell within the networks, soaking up as much data and intel about the organization," McQuiggan told Nextgov/FCW. "These actions reiterate the need for rapid threat detection and response before ransomware executes."

The advisory indicates that Snatch threat actors typically exploit weaknesses found in Remote Desktop Protocol and leverage compromised credentials to gain initial access to victims' networks. Cybercriminals associated with the ransomware group were observed exfiltrating data and moving laterally across victim networks after spending up to three months on a victim's system. 

The advisory recommends organizations provide users with limited access privileges, perform regular patching and segmentation and maintain consistent backups.

Other recommendations include employing some basic tactics like regularly auditing remote access tools on their networks and reviewing logs for execution of remote access software. Organizations can also further leverage security software to help reduce the threat of malicious actors, as well as require authorized remote access solutions and implement application controls. 

CISA and the FBI said they "strongly discourage paying ransom" and encouraged victims to report ransomware incidents to the bureau's local field offices and the cyber defense agency's reporting channel. 

CISA and the FBI have previously released similar advisories warning about ransomware groups targeting software and networks leveraged by federal agencies, including the ransomware gang known as CL0P, which exploited a vulnerability in the popular file transfer service MOVEit earlier this year.