The Snatch Ransomware Gang's Attack on Alinabal

The Snatch ransomware gang has attacked Alinabal. Alinabal is a company that specializes in precision motion control and engineered solutions for a wide range of industries, including aerospace, defense, industrial, and transportation. The company designs and manufactures high-quality precision components crucial in various mechanical and structural applications. Snatch posted Alinabal to its data leak site on July 29th but provided no further information.

Snatch is a RaaS (Ransomware as a Service) that emerged in 2018 but did not become significantly active until 2021. Snatch can evade security tools and delete Volume Shadow Copies to prevent rollbacks and local Windows backups to thwart recovery. There has also been a Linux version observed.

Increasing Attack Volume

Snatch attack volume has been modest compared to leading ransomware operators but is on pace to increase about 50% in 2023 compared to 2022.

Ransom Demands

Snatch ransom demands are relatively low compared to leading ransomware operators, ranging from several thousand to tens of thousands of dollars. Snatch is written in Go and is somewhat unique in that the ransomware reboots in safe mode to ensure the security tools are not running. Persistence and privilege escalation are not byproducts of the reboot.

Snatch abuses legitimate tools like Process Hacker, Uninstaller, IObit, BCDEDIT, PowerTool, and PsExec. Snatch deletes Volume Shadow Copies to prevent encryption rollbacks.

Targeting Strategy

Snatch targeting varies widely based on their affiliates' preferences.

Snatch is one of the more traditional RaaS platforms, where most of the targeting and attack sequence structure is left to the individual affiliates, including whether to exfiltrate data for double extortion.