Hawbaker Engineering Targeted by Snatch Ransomware Group

Hawbaker Engineering has allegedly been attacked by the Snatch ransomware group. No further details of the incident have been disclosed. Since 2002, Hawbaker Engineering has been providing civil engineering, surveying, land development, and construction management services. The company takes pride in tailoring its services to fit its client’s needs and budget.

Introduction to Snatch Ransomware

Snatch is a RaaS (Ransomware as a Service) that first emerged way back in 2018 but did not become significantly active until 2021. Snatch can evade security tools and delete Volume Shadow Copies to prevent rollbacks and any local Windows backups to thwart recovery. There has also been a Linux version observed.

Snatch Attack Volume and Demands

Snatch attack volume has been modest compared to leading ransomware operators but increased about 50% in 2023 compared to 2022 levels. Snatch ransom demands are relatively low compared to leading ransomware operators, ranging from several thousand to tens of thousands of dollars.

Technical Details of Snatch

Snatch is written in Go and is somewhat unique in that the ransomware reboots in safe mode to make sure the security tools are not running. Persistence and privilege escalation are not byproducts of the reboot. Snatch abuses legitimate tools like Process Hacker, Uninstaller, IObit, BCDEDIT, PowerTool, and PsExec. Snatch deletes Volume Shadow Copies to prevent encryption rollbacks.

Targeting and Affiliates

Snatch targeting varies widely based on their affiliates' preferences. Snatch is one of the more traditional RaaS platforms, where most of the targeting and attack sequence structure is left to the individual affiliates, including whether to exfiltrate data for double extortion.