Snatch Ransomware Gang Adds Cyber Insurance Twist on Double Extortion


August 21, 2023

World map

The Snatch ransomware gang appears to be putting a new twist on the double extortion gambit: giving cyber insurers details of how they infected victims in order to nullify coverage if those victims refuse to pay the ransom demand.

Double extortion is a very common tactic used by ransomware gangs to compel victims to pay a ransom demand. Variations include data exfiltration with the threat to expose or sell the data, threats to notify the victim’s customers their data has been breached, denial of service (DoS) attack threats, and more.

Snatch Extortion Note – Credit: Bret Callow

Threat actors began using double extortion tactics to counter a victim’s ability to restore systems and data from backups or other means of recovery that do not include paying the attackers in order to receive a decryption key.

Takeaway: The threat to expose infection vectors and provide details to cyber insurers if victims fail to pay is yet another clever twist on the double extortion tactic and could put victims in a tricky situation when considering the best course of action following a successful ransomware attack.

For example, if a victim organization did decide to pay a ransom because they believe that the attack details would invalidate their insurance converge, they could be putting themselves in legal jeopardy for withholding material information from their insurer and from stakeholders.

This isn’t the first time a ransomware gang has tried to leverage insurers by putting victim organizations in an ethical and legal tight spot: back in March, the HardBit began instructing victims to provide details of their cyber insurance coverage so the attackers can properly set the ransom demand.

“The hackers tell victims to anonymously provide them with the details of their cyber insurance <sic> so that they can set the ransom amount accordingly,” SecurityWeek reported.

“The HardBit operators say they do not want to demand more than what the victim can recover from the insurance company, but they also don’t want to be offered a low amount by the insurer’s representatives.”

Victim organizations should keep in mind that even good-faith negotiations with ransomware attackers to set an amount and terms for payment could face intense scrutiny by their insurer, by law enforcement, and by regulators.  

Furthermore, any payment to ransomware operators who may be under international sanctions restrictions could land an organization and its leadership in very serious trouble.

No organization should ever entertain any offer of collusion with attackers. By doing so they would expose their organizations to a degree of legal jeopardy that simply is not worth contemplating. is the industry’s first dedicated, adaptive security platform that combines multiple advanced proprietary prevention engines along with AI models focused specifically on stopping ransomware – talk to a Halcyon expert today to find out more.