Snatch attacks Seven Seas Group

Incident Date:

March 5, 2024

World map



Snatch attacks Seven Seas Group


Seven Seas Group




Dubai, United Arab Emirates

, United Arab Emirates

First Reported

March 5, 2024

Seven Seas Falls Victim to Snatch Ransomware Attack

The Emirati maritime services group Seven Seas has been added to the list of victims of the Snatch ransomware group. Previously, the group had allegedly fallen victim to another ransomware group, DragonForce, which last December claimed to have exfiltrated and fully published 26.4 GB of data. Therefore, the alleged attack by Snatch could simply be a new exposure of data previously exfiltrated by DragonForce.

Seven Seas is a global maritime services group that specializes in providing general ship supplies, stores, provisions, and leading technical maritime brands through its extensive global network. Over five decades, Seven Seas has strived to be a trusted partner to our customers. Founded in 1971, Seven Seas operates throughout the Asia Pacific, the Middle East and Africa, Europe, and the Americas, with a global network focused on delivering exceptional customer service that “Keeps you sailing”.

About Snatch Ransomware

Snatch is a RaaS first emerged way back in 2018 but did not become significantly active until 2021. Snatch can evade security tools and deletes Volume Shadow Copies to prevent rollbacks and any local Windows backups to thwart recovery. There has also been a Linux version observed. Snatch attack volume has been modest compared to leading ransomware operators but increase about 50% in 2023 compared to 2022 levels.

Snatch ransom demands are relatively low compared to leading ransomware operators, ranging from several thousand to tens of thousands of dollars. Snatch is written in Go and is somewhat unique in that the ransomware reboots in safe mode to make sure the security tools are not running. Persistence and privilege escalation are not byproducts of the reboot. Snatch abuses legitimate tools like Process Hacker, Uninstaller, IObit, BCDEDIT, PowerTool, and PsExec. Snatch deletes Volume Shadow Copies to prevent encryption rollbacks.

Snatch targeting varies widely based on their affiliates preferences. Snatch is one of the more traditional RaaS platforms, where most of the targeting and attack sequence structure is left to the individual affiliates, including whether to exfiltrate data for double extortion.

Recent Ransomware Attacks

The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.

The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.