Cyber Threat Actor: Snatch
| Actor Type | Location | Known Incidents |
Crime Syndicate
|
Russia
|
16 incidents |
|---|
Profile
Snatch, also known as Snatch Team or Snatch Group, is a ransomware operation that has been active since at least 2018 and is described as Russian‑speaking and Russian‑linked in open‑source reporting. The gang’s moniker derives from the Guy Ritchie film *Snatch*, and it has claimed responsibility for a series of attacks that share a consistent technical approach: forcing compromised Windows systems to reboot into safe mode in order to disable resident antivirus software before executing data theft and encryption. This safe‑mode tactic has been highlighted by researchers from Sophos as a notable feature of the group’s malware, enabling them to steal and encrypt files while security tools are inactive. Snatch routinely employs double extortion, wherein exfiltrated data is threatened for public release on its Tor‑based leak site unless a ransom is paid, while simultaneously encrypting victim files to disrupt operations. Ransom demands observed in public reports have ranged from approximately $2,000 to $35,000 in Bitcoin, indicating a financially motivated objective centered on monetary gain rather than espionage or pure disruption.
The group’s victim profile spans multiple industries and geographic regions, reflecting a broad targeting pattern rather than a narrow sector focus. Reported incidents include a London‑based consultancy (the Briars Group), a global in‑vitro diagnostics firm (EliTech Group), a hospital in Maine (Mount Desert Island Hospital), an automotive manufacturer (SsangYong Motor), a Canadian healthcare association (Canadian Nurses Association), a major European payment processor (Ingenico), an Italian IT services company (Einatec), an Italian nonprofit youth organization (Centro Turistico Giovanile), a French defense electronics supplier (HENSOLDT France), and a U.S. school district serving nearly 20,000 students (Kenosha Unified School District). These examples illustrate that Snatch has struck organizations in Europe, North America, and elsewhere, affecting sectors such as professional services, healthcare, manufacturing, finance, information technology, nonprofit services, defense, and education. While the sources do not attribute the gang to any state sponsor or formal criminal consortium, they consistently describe Snatch as a financially driven ransomware actor that leverages safe‑mode execution and double extortion to pressure victims into paying ransoms. No additional details about internal structure, affiliate networks, or specific malware families beyond the safe‑mode ransomware variant are provided in the supplied material.
