Snatch has taken credit for a previous ransomware attack on the California City of Modesto. The February breach had forced local police to patrol the streets using handheld radios.
The Snatch ransomware gang – known for its links to Russia – posted the claim on its dark-web leak site in the early morning hours of March 28.
The gang's page named Modesto in a post under the title "new" that indicated at the time of writing that more than seven thousand viewers had seen it.
Also posted were the City of Modesto logo, the official website address, and one of its apparent catchphrases, "Proudly serving, protecting, and partnering with our community for a safer Modesto."
Cybernews also found on the Snatch home page a link to a 17-point manifesto clearly stating how the gang operates.
The group’s first claim states, “Snatch never disrupt supply chains, work of any country, government, state, city and private companies by locking, encrypting or by any other mean [sic].”
Meanwhile, the City of Modesto created an official breach notification letter on March 8, which has been reportedly sent out to the victims whose data was compromised in the attack.
“On February 3, 2023, the City experienced a cybersecurity incident that affected some of its computer systems.” the notification stated.
“During the course of the investigation, the City learned that some data was accessed during the incident between January 31, 2023, and February 3, 2023. Upon discovering the incident, we promptly took action to secure the network,” the City said.
As Cybernews reported initially, city networks had been down for a number of days, forcing the Modesto police department to embrace “old-school policing,” including the use of handheld radios, pens, and paper during patrols.
Modesto officials said that upon learning of the“suspicious activity,” it had "strategically disconnected portions of our network out of an abundance of caution.”
The City determined on February 17 that employee files containing personally identifiable information (PII) were accessed in the attack.
The sensitive information may have included an affected worker's "name, address, Social Security number, medical information included in work status reports, driver's license number, and/or state-issued identification number."
The Modesto notification letter also said it immediately began an investigation, and a third-party cybersecurity firm was engaged to assist.
The Modesto attack happened to coincide with another ransomware attack on the nearby City of Oakland.
That attack, which the city has not completely recovered from, forced Oakland officials to shut down all municipal services for weeks.
Emergency services and 911 phone lines stayed fully operational during both the Modesto and Oakland attacks.
Security experts worked diligently to restore Oakland’s network systems, but eventually, its Mayor was forced to declare a local State of Emergency and bring in the California National Guard for help.
That attack, which began on February 8th, was claimed by the Play ransom gang.
On March 4, the Play gang published a partial leak of an alleged 10GB of the stolen data, and has since promised to release the remaining files if it does not receive payment from the city
As of March 30, almost two months after the initial Play attack, the City of Oakland website states some services are still down and it is working to restore them.
Randomly, on March 20, the Russian-affiliated ransom syndicate LockBit also claimed to have infiltrated and stolen files from the City of Oakland, but officials there have denied the claim, and the gang has not presented any proof of a hack.
Snatch is a lesser-known gang when it comes to ransomware, although it has reportedly been around since 2018.
The group is said to use a Ransomware-as-a-Service (RaaS) distribution model, exploiting victims through Remote Desktop Protocol (RDP) vulnerabilities, and refuses to recruit English-speaking users according to software security firm Grindinsoft.
The group last made Cybernews headlines in February for successfully infiltrating the major payment-processing company Ingenico, widely used in France and Germany.
Snatch’s manifesto also states the group will always notify a victim, prioritize negotiations, and will not disclose the vulnerability exploited in the attack, except to the victim.
Once a ransom is met, Snatch states it does not publish purchased data - otherwise known as a double-extortion ransom attack.
The gang also states its “negotiation process with [a] company is strictly confidential.”
More from Cybernews:
Subscribe to our newsletter