In December 2019, Sophos published an analysis of Snatch ransomware. In June 2020, DFIR Report provided a case study, and in July 2020, LIFARS wrote an article about Snatch ransomware having been detected in attacks in June.
Since then, the Snatch leak site has continued to add victims and the media (including DataBreaches) has continued to report on their attacks, but somehow, none of us reporting on Snatch seemed to know that there had been a seismic shift in their operations. On some date unknown to DataBreaches, the gang that took its name as fans of the movie “Snatch” was no longer a ransomware gang. To say that DataBreaches was surprised to realize that we might have been misreporting them as a ransomware gang would be an understatement.
Their change only became clear after they opened an interesting Telegram channel in July that started providing more details on some of their attacks and leaks. On August 18, they began a series of posts explaining how they attacked IXPERTA. If you read their detailed disclosure of how they gained access and proceeded, you’ll find no mention of deploying any malware.
Shortly after that interesting series of posts, they published a post about themselves that began:
After the publication of South Africa Defense Ministry data leak (https://t.me/snatch_info/137) we have found a huge number of articles about us and the current situation in South Africa. We looked them through and saw unfortunately the same mistake which the media repeat from year to year without bothering to check the data and research on the history of the project. And we decided to help them.
First of all we have nothing to do with the Snatch ransomware project that appeared in 2019 and existed for about 2 years. We are the Security Notification Attachment (SNAtch for short) Team, a group specializing exclusively in leaked sensitive data. We don’t deal with locking companies or critical infrastructure, we don’t aim to stop a company from operating by attacking it with software that blocks the control servers. If journalists analyze our work carefully, they will see that not a single client of ours has been attacked by a malware that can be called Snatch.
Yes, many of them have been attacked by various ransomware, as we are open for cooperation and often groups that work in this direction give us unique confidential data that were leaked from the attacked companies. But once again, the Snatch locker that we are compared to in the media has never been used.
[….]
So the main thing that we want to say and convey to you is that the Security Notification Attachment Team (SNAtch for short) has nothing to do with the Snatch ransomware project.
DataBreaches, who was provided with a way to obtain more information from Snatch about their activities, reached out to a spokesperson to follow up on the post. In response, and to illustrate how they were not using ransomware, they provided DataBreaches with details on their recently revealed attack on South Africa’s Department of Defence — an attack that the government initially tried to dismiss as “fake news.”
As with the IXPERTA breach, there was nothing in the following description that involved any ransomware or encryption of files:
The attack on the South Africa Republic began back in 2022. In the fall. A vulnerability was discovered in the Defense Department network. Before the attack began we have published on our resource an extracted file with the data of employees and their call signs. We used data from this to call employees with a message about the vulnerability. We were simply ignored, although the call sign of the person with whom we tried to establish communication was indicator of the breach itself. After that we launched a large-scale attack on the resource. About 1.6 TB of information was extracted, mostly personal data of Defense Ministry employees, military personnel, weapons contracts. And we put away all this for a while. We remembered about it only in the summer of 2023 and again tried to bring the information about the breach and already downloaded data of the Ministry of Defense, Cabinet of Ministers and of the President of the country in person. But we have faced a complete misunderstanding of the situation and the position that “if my personal laptop is not hacked, I don’t care”. During this time the network perimeter has not been changed, the same gaps have remained until now. Only because of the current large amount of more important and interesting work we do not continue attacking and extracting additional information from the network. Although we know that there is much more information about illegal mining, agent networks, secret service employees data, correspondence of high-ranking officials including their international supervisors. We’re probably going to put active directories in the open access, as we have already done many times. We will provide anyone who wants to dig in all this information the opportunity of further publication on our resources.
As you can see we have nothing to do with Snatch Ransomware. We are Security Notification Attachment and deal only with data leakages.
In response, DataBreaches wrote:
I really appreciate the above. I just don’t know when things really changed from being Snatch ransomware group to this newer Snatch. Two years ago? Which breach or leak was the first SNAtch but not Snatch ransomware? And why was there never any announcement on the site that Snatch was no longer Snatch ransomware? And am I still dealing with the same people who were in Snatch Ransomware, or are they all gone and you are all a new unrelated group?
Their spokesperson answered:
The thing is that Snatch Ransomware and Security Notification Attachment are completely unrelated projects. We started a year ago and all our work is mentioned on our website. None of our targets has been attacked by Ransomware Snatch and we were not even interested in the history of Ransomware development, so we didn’t pay attention to the fact that there was once a similar project, but with a different approach. We avoid attacks in which the company’s work can be blocked, which can have terrible consequences if we are talking about the social sector, for example. We work exclusively with data and never offer our clients decryptors, because we simply do not have them. We are not a snatch ransomware, but if you want a short name it is SNAtch Team.
DataBreaches then challenged them about the fact that the URL for the leak site had never changed, so, “Are you the same people with just a different project now or are you different people?”
“Yes, we never changed anything,” their spokesperson answered me. “We are a different project with different people.”
SNAtch Team has now added the Canadian Nurses Association (CNA) to their leak site. When it was originally added in May, media reports such as one in ITWorld noted that CNA admitted that there was an incident but would not respond to questions as to whether it was a ransomware attack.
Today, SNAtch confirmed to DataBreaches that the attack did not involve any ransomware or encryption.
So should SNAtch still be described as a ransomware gang? No. We are back to the days of hacking, exfiltrating, and then making what some might call an “extortion” demand to get paid to delete data or not leak it. Whether we call it “extortion” or “ransom” may be a matter of preference, but going forward, DataBreaches thinks we need to stop calling events ransomware attacks if there was no malware deployment attempted or completed.