Ransomware Attack on Kraft Heinz by Snatch Group

The ransomware group Snatch claimed responsibility for an attack against Kraft Heinz in mid-August and made it visible on its data leak site on 14 December 2023. “We are reviewing claims that a cyberattack occurred several months ago on a decommissioned marketing website hosted on an external platform, but are currently unable to verify those claims,” a company spokesperson said. “Our internal systems are operating normally, and we currently see no evidence of a broader attack,” Kraft Heinz said. The group has yet to publish any files as proof of their claims.

Kraft Foods and Kraft Heinz

Kraft Foods is an American food manufacturing and processing conglomerate. It became part of Kraft Heinz on July 2, 2015.

About Snatch Ransomware

Snatch is a RaaS first emerged way back in 2018 but did not become significantly active until 2021. Snatch can evade security tools and deletes Volume Shadow Copies to prevent rollbacks and any local Windows backups to thwart recovery. There has also been a Linux version observed. Snatch attack volume has been modest compared to leading ransomware operators but is on pace to increase about 50% in 2023 compared to 2022 levels.

Snatch ransom demands are relatively low compared to leading ransomware operators, ranging from several thousand to tens of thousands of dollars. Snatch is written in Go and is somewhat unique in that the ransomware reboots in safe mode to make sure the security tools are not running. Persistence and privilege escalation are not byproducts of the reboot.

Snatch abuses legitimate tools like Process Hacker, Uninstaller, IObit, BCDEDIT, PowerTool, and PsExec. Snatch deletes Volume Shadow Copies to prevent encryption rollbacks. Snatch targeting varies widely based on their affiliates preferences. Snatch is one of the more traditional RaaS platforms, where most of the targeting and attack sequence structure is left to the individual affiliates, including whether to exfiltrate data for double extortion.