Threat Actor Profile
High
Cybercriminal
Description
Snatch is a ransomware which infects victims by rebooting the PC into Safe Mode. Most of the existing security protections do not run in Safe Mode so that it the malware can act without expected countermeasures and it can encrypt as many files as it finds. It uses common packers such as UPX to hide its payload.
Confidence Score
Tags
ransomware
ransomware.live
First Seen
Unknown
Last Updated
Unknown
Active Status
ActiveCreated
April 29, 2026
Indicators of Compromise
Loading IOCs…
IOC KQL for Sentinel
STIX Data
{'added_date': None,
'client': '2003264@sit.singaporetech.edu.sg',
'description': 'Snatch is a ransomware which infects victims by rebooting the '
'PC into Safe Mode. Most of the existing security protections '
'do not run in Safe Mode so that it the malware can act '
'without expected countermeasures and it can encrypt as many '
'files as it finds. It uses common packers such as UPX to hide '
'its payload.\n',
'firstseen': '2021-11-29T00:13:03.363583+00:00',
'group': 'snatch',
'has_negotiations': False,
'has_ransomnote': True,
'lastseen': '2024-05-15T01:46:00+00:00',
'locations': [{'available': False,
'fqdn': 'snatch.press',
'slug': 'http://snatch.press',
'title': 'Access Denied',
'type': 'DLS'},
{'available': False,
'fqdn': 'snatchteam.top',
'slug': 'https://snatchteam.top',
'title': 'News',
'type': 'DLS'},
{'available': False,
'fqdn': 'hl66646wtlp2naoqnhattngigjp5palgqmbwixepcjyq5i534acgqyad.onion',
'slug': 'http://hl66646wtlp2naoqnhattngigjp5palgqmbwixepcjyq5i534acgqyad.onion',
'title': 'News',
'type': 'DLS'},
{'available': False,
'fqdn': 'snatchteam.cc',
'slug': 'http://snatchteam.cc',
'title': 'Origin DNS error snatchteam.cc Cloudflare',
'type': 'DLS'},
{'available': False,
'fqdn': 'snatchnews.top',
'slug': 'https://snatchnews.top',
'title': 'Just a moment...',
'type': 'DLS'}],
'negotiation_count': 0,
'ransomnotes_count': 1,
'tiaras_metadata': {'has_negotiations': False,
'has_ransomnote': True,
'locations': [{'available': False,
'fqdn': 'snatch.press',
'slug': 'http://snatch.press',
'title': 'Access Denied',
'type': 'DLS'},
{'available': False,
'fqdn': 'snatchteam.top',
'slug': 'https://snatchteam.top',
'title': 'News',
'type': 'DLS'},
{'available': False,
'fqdn': 'hl66646wtlp2naoqnhattngigjp5palgqmbwixepcjyq5i534acgqyad.onion',
'slug': 'http://hl66646wtlp2naoqnhattngigjp5palgqmbwixepcjyq5i534acgqyad.onion',
'title': 'News',
'type': 'DLS'},
{'available': False,
'fqdn': 'snatchteam.cc',
'slug': 'http://snatchteam.cc',
'title': 'Origin DNS error snatchteam.cc '
'Cloudflare',
'type': 'DLS'},
{'available': False,
'fqdn': 'snatchnews.top',
'slug': 'https://snatchnews.top',
'title': 'Just a moment...',
'type': 'DLS'}],
'negotiation_count': 0,
'ransomnotes_count': 1,
'ransomware_live_group': 'snatch',
'tools': {'CredentialTheft': [],
'DefenseEvasion': [],
'DiscoveryEnum': [],
'Exfiltration': [],
'LOLBAS': ['BCDEdit', 'ServiceControl (sc.exe)'],
'Networking': [],
'Offsec': ['Cobalt Strike', 'Meterpreter'],
'RMM-Tools': []},
'url': 'https://www.ransomware.live/group/snatch',
'victims': 142,
'vulnerabilities': []},
'tiaras_source': 'ransomware.live',
'tools': {'CredentialTheft': [],
'DefenseEvasion': [],
'DiscoveryEnum': [],
'Exfiltration': [],
'LOLBAS': ['BCDEdit', 'ServiceControl (sc.exe)'],
'Networking': [],
'Offsec': ['Cobalt Strike', 'Meterpreter'],
'RMM-Tools': []},
'ttps': [],
'url': 'https://www.ransomware.live/group/snatch',
'victims': 142,
'vulnerabilities': []}