Recent Articles
How To Recover Overwritten Files
The Snowflake Data Breach: A Comprehensive Overview
Mac Not Recognizing External Hard Drive: Quick Fix Solutions
How Multi-Cloud Backup Solutions Can Prevent Data Disasters
Capibara Ransomware: What is it & How to Remove
What Should a Company Do After a Data Breach: The Ticketmaster Incident
Secles Ransomware: Removal Guide
What To Do When Your Chromebook Freezes
How to Create Hyper-V Backup
What Is The Best Data Recovery Software For PC
Heloise Montini
Heloise Montini is a content writer whose background in journalism make her an asset when researching and writing tech content. Also, her personal aspirations in creative writing and PC gaming make her articles on data storage and data recovery accessible for a wide audience.
Laura Pompeu
With 10 years of experience in journalism, SEO & digital marketing, Laura Pompeu uses her skills and experience to manage (and sometimes write) content focused on technology and business strategies.
Bogdan Glushko
CEO at SalvageData Recovery, Bogdan Glushko has over 18 years of experience in high-security data recovery. Over the years, he's been able to help restore data after logical errors, physical failures, or even ransomware attacks, for individuals, businesses, and government agencies alike.
I think there's an issue with my storage device, but I'm not sure Start a free evaluation →
I need help getting my data back right now Call now (800) 972-3282
Snatch is not a new threat, this ransomware family and its variants have been attacking organizations and businesses since 2019. It’s a high-risk malware that locks and exfiltrates victims’ data. Hackers then demand a ransom payment in exchange for the decryption key and a “guarantee” that they won’t leak the data on their Tor website, this tactic is known as double extortion.
The Snatch ransomware takes advantage that Windows does not run safety mechanisms on endpoint devices when the system reboots in Safe Mode. Then, to avoid detection, the malware forces the infected machines to reboot in Safe Mode.
What kind of malware is Snatch?
Snatch ransomware is a type of malware that is particularly stealthy. It utilizes publicly available and built-in tools for its malicious activities and has been known to target businesses in a range of sectors including healthcare, finance, and retail.
The Snatch ransomware is also known to exfiltrate victims’ sensitive and critical data before encrypting it and then threatening to leak it unless they pay the ransom.
Its encryption algorithm uses a combination of symmetric and asymmetric encryption. The malware generates a unique RSA-2048 keypair on the victim’s computer, which is used to encrypt files with AES-256 symmetric encryption algorithm. The public key is then encrypted using a hardcoded public key included in the malware and sent to the attackers’ server.
The attackers then use their private key to decrypt the victim’s public key and send back a decryption key that can be used to recover the encrypted files.
Everything we know about Snatch ransomware
This list contains the basic information about the new ransomware strain known as Snatch.
Confirmed Name
- Snatch virus
Threat Type
- Ransomware
- Stealthy Malware
- Crypto Virus
- Files locker
- Double extortion
Encrypted Files Extension
- .snatch
- .snake
- .jimm
- .googl
- .dglnl
- .ohwqg
- .wvtr0
- .hceem
Ransom Demanding Message
- Readme_Restore_Files.txt
- Restore_JIMM_Files.txt
- RESTORE_DGLNL_FILES.txt
- RESTORE_HCEEM_DATA.txt
- RESTORE_WVTR0_FILES.txt
- DECRYPT_GOOGL_FILES.txt
- DECRYPT_OHWQG_FILES.txt
Detection Names
- Avast Win64:Evo-gen [Trj]
- AVG Win64:Evo-gen [Trj]
- Emsisoft Generic.Ransom.Snatch.5D562140 (B)
- Kaspersky Trojan.Win32.DelShad.ea
- Malwarebytes Generic.Malware/Suspicious
- Microsoft VirTool:MSIL/CryptInject
Ransomware family, type & variant
There are many variants of the Snatch ransomware, but some of them use their own encryption method and extensions for encrypted files.
Distribution methods
- Phishing emails
- Malicious email attachments
- Social engineering
Consequences
- Data exfiltration
- File encryption
Is There a Free Decryptor Available?
No. There is no known public decryptor for Snatch ransomware available at this time.
What are Snatch ransomware’s IOCs?
Indicators of Compromise (IOCs) are artifacts observed on a network or in an operating system that indicate a computer intrusion with high confidence. IOCs can be used for early detection of future attack attempts using intrusion detection systems and antivirus software.
Snatch ransomware’s Indicators of Compromise (IOCs) include:
- Inability to open files stored on your computer. After infecting a system, Snatch ransomware encrypts the victim’s files and makes them inaccessible.
- Previously functional files are no longer accessible. Snatch ransomware replaces the original files with encrypted versions that can only be decrypted with a specific key known only to the attackers.
- Messages demanding payment. After encrypting the victim’s files, Snatch ransomware displays a message demanding payment in exchange for a decryption key that will allow the victim to access their files again.
- The system reboots into Safe Mode. Snatch ransomware is known to reboot infected systems into Safe Mode in order to bypass antivirus and other security software.
How do you find Snatch ransomware’s ransom note
The Snatch ransom note is short and explains the steps victims must take in order to retrieve their data. The note states that the easiest path back to the company functioning normally is to pay the ransom.
Do not pay the ransom or negotiate with the threat actors. Contact SalvageData experts immediately to restore your files and report the ransomware to local authorities.
Sample of the Snatch ransom note:
How does Snatch ransomware spread
Snatch ransomware is a dangerous malware that can infect a computer or network in several ways, including:
- Spam and phishing emails that pretend to be legit businesses. Scammers send emails that appear to be from legitimate businesses, such as PayPal, UPS, FedEx, and others. These emails contain links or attachments that put your data and network at risk. One click on a link or one download of an attachment can lock everyone out of your network.
- Social engineering. It is a type of cyber attack that relies on human interaction to trick victims into divulging sensitive information, clicking on links or attachments, or taking other security-compromising actions. The goal of social engineering attacks is to exploit human psychology and behavior in order to gain access to sensitive information or systems. Attackers may impersonate a trusted authority figure, such as a bank representative or IT technician, or create a sense of urgency or fear in order to pressure the victim into taking action.
How does Snatch ransomware infect a computer or network
Snatch ransomware is known for its ability to bypass antivirus software by rebooting the infected computer into Safe Mode, where most security software does not run.
Once Snatch infects a system, it begins to encrypt files and adds a “.snatch” or variants extension to the filenames. The attackers then demand payment in exchange for a decryption key that will restore access to the encrypted files.
In addition to file encryption, Snatch ransomware is also known to steal sensitive data, such as login credentials and financial information, from infected systems.
How to handle a Snatch ransomware attack
Important: The first step after identifying Snatch IOCs is to resort to your Incident Response Plan (IRP). Ideally, you have an Incident Response Retainer (IRR) with a trusted team of professionals that can be contacted 24/7/365, and they can take immediate action that will prevent data loss, reduce or eliminate the ransom payment, and help you through any legal liabilities.
To the best of our knowledge with the information we have at the time this article is published, the first step that a team of ransomware recovery experts would take is to isolate the infected computer by removing any connected device.
Simultaneously this team will assist you in contacting your country’s local authorities. For US residents and businesses, it is the local FBI field office and the Internet Crime Complaint Centre (IC3). To report a ransomware attack you must gather every information you can about it, including:
- Screenshots of the ransom note
- Communications with Snatch actors (if you have them)
- A sample of an encrypted file
However, if you don’t have an IRP or IRR, you can still contact ransomware removal and recovery professionals. This is the best course of action and greatly increases the chances of successfully removing the ransomware, restoring the data, and preventing future attacks. We recommend that you leave every infected machine as they are and call an emergency ransomware recovery service.
Restarting or shutting down the system may compromise the recovery process. Capturing the RAM of a live system may help get the encryption key, and catching a dropper file might be reverse-engineered and lead to the decryption of the data or understanding of how it operates.
What NOT to do to recover from a Snatch ransomware attack
You must not delete the ransomware, and keep every evidence of the attack. That’s important for digital forensics so experts can trace back to the hacker group and identify them. It is by using the data on your infected system that authorities can investigate the attack and find the responsible. A cyber attack investigation is not different from any other criminal investigation: it needs evidence to find the attackers.
1. Contacting your Incident Response provider
A Cyber Incident Response is the process of responding to and managing a cybersecurity incident. An Incident Response Retainer is a service agreement with a cybersecurity provider that allows organizations to get external help with cybersecurity incidents. It provides organizations with a structured form of expertise and support through a security partner, enabling them to respond quickly and effectively in the event of a cyber incident.
An incident response retainer offers peace of mind to organizations, offering expert support before and in the aftermath of a cybersecurity incident. The specific nature and structure of an incident response retainer will vary according to the provider and the organization’s requirements. A good incident response retainer should be robust but flexible, providing proven services to enhance an organization’s long-term security posture.
If you contact your IR service provider, then they will take care of everything else. However, if you decide to remove the ransomware and recover the files with your IT team, then you can follow the next steps.
2. Identify the ransomware infection
You can identify which ransomware infected your machine by the file extension (some ransomware uses the file extension as their name), or it will be on the ransom note. With this information, you can look for a public decryption key.
You can also check the ransomware type by its IOCs. Indicators of Compromise (IOCs) are digital clues that cybersecurity professionals use to identify system compromises and malicious activities within a network or IT environment. They are essentially digital versions of evidence left at a crime scene, and potential IOCs include unusual network traffic, privileged user logins from foreign countries, strange DNS requests, system file changes, and more. When an IOC is detected, security teams evaluate possible threats or validate its authenticity. IOCs also provide evidence of what an attacker had access to if they did infiltrate the network.
3. Remove the ransomware and eliminate exploit kits
Before recovering your data, you must guarantee that your device is ransomware-free and that the attackers can’t make a new attack through exploit kits or other vulnerabilities. A ransomware removal service can delete the ransomware, create a forensics document for investigation, eliminate vulnerabilities, and recover your data.
Use anti-malware/anti-ransomware software to quarantine and remove the malicious software.
Important: By contacting ransomware removal services you can ensure that your machine and network have no trace of the Snatch ransomware. Also, these services can patch your system, preventing new attacks.
4. Use a backup to restore the data
Backups are the most efficient way to recover data. Make sure to keep daily or weekly backups, depending on your data usage.
5. Contact a ransomware recovery service
If you don’t have a backup or need help removing the ransomware and eliminating vulnerabilities, you should contact a data recovery service. Paying the ransom does not guarantee your data will be returned to you. The only guaranteed way you can restore every file is if you have a backup of it. If you don’t, ransomware data recovery services can help you decrypt and recover the files.
SalvageData experts can safely restore your files and prevent the Snatch ransomware from attacking your network again.
Also, we offer a digital forensic report that you can use for further investigation and to understand how the cyber attack happened.
Contact our experts 24/7 for emergency recovery service.
Prevent the Snatch ransomware attack
Preventing ransomware is the best solution for data security. is easier and cheaper than recovering from them. Snatch ransomware can cost your business’s future and even close its doors.
These are a few tips to ensure you can avoid ransomware attacks:
- Install antivirus and anti-malware software.
- Utilize strong and secure passwords.
- Apply Multi-Factor Authentication (MFA).
- Keep software and operating systems up to date.
- Implement firewalls.
- Create a data recovery plan.
- Regularly scheduled backups of your data.
- Avoid email attachments and downloads from unknown or suspicious sources.
- Access websites only from trusted sources.
By adhering to these practices, you can fortify your online security and protect yourself from potential threats.
