Cyber Incident Victim: Briars Group

On or around June 5, 2023, the Snatch ransomware gang publicly claimed responsibility for a cyberattack against Briars Group, a London-based consultancy firm. The group listed Briars Group as a victim on its dark web blog, alongside two other organizations: EliTech Group, a global molecular diagnostics company based in Paris, and Mount Desert Hospital in Maine, USA. The public announcement on the gang's blog served as the primary evidence of the compromise. The blog posts did not contain extensive details regarding the specific breach of Briars Group; they featured only the company's name accompanied by a brief description of its business operations, which involve helping other businesses expand overseas. The posts did not disclose the quantity of data allegedly stolen during the attack, nor did they provide a deadline for the victim to enter into negotiations with the threat actors.

The Snatch gang employs a distinctive and technically sophisticated modus operandi that cybersecurity researchers have highlighted as particularly dangerous. Their attack methodology involves forcing the targeted devices to reboot into Windows Safe Mode. Safe Mode is a diagnostic operating system environment that loads a minimal set of drivers and does not automatically start third-party software, including essential security applications like antivirus programs. By executing their ransomware payload in this environment, the attackers effectively disarm the endpoint protection on the compromised systems. This technique provides them with largely unfettered access to the network, allowing for extensive data theft and the encryption of files without interference from security tools that would normally detect and block such malicious activity.

This attack methodology enables Snatch to carry out a double extortion ransomware scheme. The first prong of this attack involves the exfiltration of sensitive, often proprietary, data from the victim's network. The second prong is the encryption of the victim's data and systems, which cripples operational capabilities. The attackers then use both elements to apply pressure for payment. The victim is extorted to pay a ransom for the decryption key needed to restore their systems and a separate ransom to prevent the gang from publicly leaking or selling the stolen sensitive data on the dark web. This dual-threat approach significantly increases the likelihood of payment, as the consequences of data exposure can include regulatory fines, reputational damage, and loss of competitive advantage.

The Snatch group is a well-established cybercriminal operation. According to cybersecurity firm Sophos, the gang has been active since 2018 and is composed of Russian-speaking individuals. The group's name is derived from the 2000 Guy Ritchie film of the same name. Their ransom demands have historically been relatively modest compared to some other ransomware operations; security company Coveware, which specializes in extortion negotiations, reported assisting 12 victims of the Snatch gang, with ransom payments typically ranging between $2,000 and $35,000, demanded in Bitcoin. The group has demonstrated a capability to cause significant disruption, as evidenced by a confirmed attack on the city of Modesto, North Carolina, in February of the same year. That incident reportedly crippled police department laptops, forcing officers to revert to using radios and manually writing down dispatch call details.

At the time of the public claim against Briars Group, no specific technical details regarding the initial attack vector, such as phishing or exploitation of a specific vulnerability, were disclosed by the threat actors or identified in public reporting. Similarly, the exact scope of the intrusion into Briars Group's network, the specific systems affected, and the types of data potentially accessed or encrypted remained unknown outside of the organization. The public announcement was the first indication of the security incident for external observers. Tech Monitor attempted to contact Briars Group for comment following the dark web publication but received no response from the company at the time its article was written. There was no public information available regarding Briars Group's internal detection of the incident, their immediate response actions, any containment or eradication measures undertaken, or whether any ransom was negotiated or paid.

The primary impact of the incident stemmed from the claim of unauthorized access and data exfiltration. As a consultancy that assists businesses with international expansion, Briars Group likely possesses a significant amount of confidential client information, commercial strategies, and other proprietary data. The potential exposure of this data represents a serious threat to both Briars Group and its clients, potentially undermining business relationships and competitive positions. The secondary impact, the encryption of systems, would likely have caused direct operational disruption, hindering the company's ability to conduct its normal business functions until systems could be restored from backups or through decryption. The full extent of the financial and reputational damage to Briars Group remains unquantified in public sources. The incident serves as an example of the continued targeting of professional services firms by ransomware groups, who identify them as lucrative targets due to the sensitive nature of the data they hold.