Snatch attacks South African Department of Defence

Incident Date:

August 21, 2023

World map



Snatch attacks South African Department of Defence


South African Department of Defence




Pretoria, South Africa

, South Africa

First Reported

August 21, 2023

The Snatch Ransomware Gang's Attack on the South African Department of Defence

The Snatch ransomware gang has attacked the South African Department of Defence. The South African Department of Defence (DoD) is the government department responsible for the defense, security, and military affairs of the Republic of South Africa. Its primary role is to safeguard the country's sovereignty, territorial integrity, and national security.

Snatch posted the South African Department of Defence to its data leak site on August 21st, claiming to have stolen 1.6TB of military contracts, internal call signs, and personal data. Snatch is a RaaS first emerged way back in 2018 but did not become significantly active until 2021.

How Snatch Operates

Snatch can evade security tools and deletes Volume Shadow Copies to prevent rollbacks and any local Windows backups to thwart recovery. There has also been a Linux version observed. Snatch attack volume has been modest compared to leading ransomware operators but is on pace to increase about 50% in 2023 compared to 2022 levels.

Snatch ransom demands are relatively low compared to leading ransomware operators, ranging from several thousand to tens of thousands of dollars. Snatch is written in Go and is somewhat unique in that the ransomware reboots in safe mode to make sure the security tools are not running. Persistence and privilege escalation are not byproducts of the reboot.

Snatch abuses legitimate tools like Process Hacker, Uninstaller, IObit, BCDEDIT, PowerTool, and PsExec. Snatch deletes Volume Shadow Copies to prevent encryption rollbacks.

Recent Ransomware Attacks

The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.

The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.