Multinational food company Kraft Heinz Co. is investigating a cyberattack that resulted in the alleged theft of data by a ransomware gang.

The attack came to light after the Snatch ransomware gang named Kraft Foods as a ransomware victim of their dark web leaks site on Dec. 14. The gang claimed that the attack took place in August, with the details only being revealed now. However, the gang did not provide proof of the hack.

In a statement, a spokesperson for Kraft Heinz told Bleeping Computer today that it’s investigating whether a cyberattack on a decommissioned marketing website is related to Snatch’s claims but noted that it had not experienced any issues on its corporate network.

Snatch was the subject of a cybersecurity advisory by the U.S. Federal Bureau of Investigation and the Cybersecurity and Infrastructure Security Agency published in September. The gang first appeared in 2018 and operates on a ransomware-as-a-service model, providing ransomware to affiliates who pay to use it to launch ransomware attacks. Affiliates have previously used Snatch to target critical infrastructure sectors, including companies and organizations in the defense, food, agriculture and information technology sectors.

Snatch operates on a so-called double-extortion basis, both encrypting data and stealing it — demanding that a ransom be paid not only for a decryption key but also for a promise that the stolen data will not be published on Snatch’s leaks site. Previous Snatch victims include the Florida Department of Veterans Affairs, Zilli, CEFCO Inc., the South African Department of Defense and Briars Group Ltd.

How Snatch may have gained access to Kraft Heinz is currently unknown, but its methodology in past attacks has been well-documented.

“Snatch is known for compromising devices to restart in Safe Mode to collect and exfiltrate activities of relevant information and encrypt victim’s files,” Andrew Costis, chapter lead of the Adversary Research Team at AttackIQ Inc., told SiliconANGLE. “Snatch threat actors have consistently evolved their tactics to take advantage of current trends in the cybercriminal space and leveraged the successes of other ransomware variants’ operations.”

Using details provided in the FBI and CISA joint advisory, “organizations can actively emulate Snatch ransomware TTPs to pinpoint any vulnerabilities in their security and incident response capabilities,” Costis added. “For large organizations that are vulnerable to ransomware attacks, prioritizing threat detection and response, informed by continuous testing against the adversary can significantly mitigate risks.”

Image: Kraft Heinz