Cyber Incident Victim: EliTech Group

On or around June 5, 2023, the Snatch ransomware gang publicly claimed responsibility for a cyberattack against EliTech Group. The Paris-based global in-vitro diagnostics company was listed on the group's dark web victim blog alongside two other organizations, the Briars Group and Mount Desert Hospital. The public claim by the attackers was the first official indication of the security incident. The blog post did not contain extensive details regarding the breach; it featured the company's name and a brief description of its business operations but did not specify the volume of data allegedly seized or establish a deadline for negotiations. EliTech Group, which operates laboratories in more than 100 countries and employs over 650 people, sells diagnostic instruments and software to global partners. This business model introduced a potential risk of a supply chain attack should the ransomware operators have successfully gained access to the software provided by the company.

The Snatch gang employs a distinctive and technically notable method to facilitate its attacks. As detailed by researchers from cybersecurity firm Sophos, the group's modus operandi involves forcing infected target devices to reboot into Windows Safe Mode. This diagnostic operating system mode is stripped-down and, critically, does not automatically run any third-party software, including antivirus programs. By executing their malicious payload in this environment, the attackers effectively disarm security controls that would normally be active, granting them largely unfettered access to the system. This technique allows them to move laterally through the network, exfiltrate sensitive data, and deploy encryption routines across as many devices as possible. The Sophos researchers emphasized the severity of this tactic, stating that the risk it poses "cannot be overstated" and that they felt compelled to publish their findings as a warning to the security industry and end users.

This attack methodology supports a double extortion strategy, which is a hallmark of the Snatch group's operations. The first element of this strategy involves the encryption of critical data and systems, which cripples the victim's operational capabilities and holds them hostage. The second, concurrent element is the theft of sensitive proprietary or personal information prior to encryption. The attackers then use the threat of publicly leaking or selling this stolen data on the dark web as additional leverage to pressure the victim into paying a ransom. This dual approach creates two distinct sources of pressure on the targeted organization: the need to restore operational continuity and the imperative to prevent a potentially devastating data breach. The gang is known to be Russian-speaking and has been active since 2018. According to analysis by Sophos, the group derived its name from the 2000 Guy Ritchie film of the same name.

Historical data from Coveware, a security company specializing in extortion negotiations, provides context for the typical financial demands associated with Snatch ransomware attacks. Coveware reported having assisted 12 victims of the gang, with ransom demands typically ranging between $2,000 and $35,000, to be paid in Bitcoin. This places Snatch's demands on the lower end of the ransomware spectrum compared to some other groups, though the operational impact and data breach risks remain significant. The group had previously confirmed an attack in February against the city of Modesto, Northern Carolina, which was reported to have crippled local police department laptops and forced officers to revert to using radios and manually writing down dispatch call details.

At the time the incident was made public, the specific impacts on EliTech Group's internal operations were not detailed in the available reporting. The articles did not describe which specific systems were encrypted, the duration of any downtime, or the exact nature of the data allegedly exfiltrated. Furthermore, no information was provided regarding how the initial breach occurred, whether it was detected by internal security teams, or what immediate containment or response actions were taken by EliTech's internal IT and security personnel. The public response from the company was also not documented; Tech Monitor reported that attempts to contact EliTech for comment did not receive a response at the time of writing. The public claim on the dark web blog served as the primary source of information, and the absence of detailed posts there left many specifics of the incident's scope and scale undetermined. The consequences of the attack were therefore primarily framed by the inherent risks associated with the victim's business as a diagnostics and software provider and the known, severe capabilities of the threat actor responsible. The potential for downstream supply chain contamination through compromised software represented a significant secondary risk stemming from the initial intrusion.