News > Cyber-Attacks > CA-General
by Kevin Wood

Federal Authorities Sound the Alarm on Snatch Ransomware Group Following Claims of a Veterans Affairs Breach

Unmasking the Digital Marauders: Data Snatchers at Play

In a new development, the Snatch ransomware collective, notorious for their cyber-criminal activities, has announced via their covert dark-web portal that they have allegedly breached the data of the Florida Department of Veterans Affairs. Federal agencies are actively urging businesses and institutions to be vigilant, particularly for signs of digital intrusion that can be attributed to this notorious group.

However, a word of caution is due. As of now, there is no concrete evidence that substantiates the group’s claims about pilfering veterans’ information. When approached by The Register for a confirmation, the Florida Department of Veterans Affairs has not yet provided a response or acknowledgment of any such breach. We remain committed to offering updates on this issue as we receive more details.

Delving deeper into Snatch’s operational blueprint, it becomes evident that they run a sophisticated ransomware-as-a-service enterprise. Their malicious endeavors have plagued various critical sectors. These range from defense industrial base companies to vital sectors like food and agriculture and even IT corporations.

It’s not their first rodeo, though. Just a month ago, Snatch affiliates were in the headlines for leaking data, which they claimed to have illicitly obtained earlier from Modesto during a devastating ransomware assault on the Californian city.

A hallmark of Snatch’s operations involves tactics of data theft combined with double-extortion. As per sources, after siphoning off data, the Snatch criminals often engage directly with their victims. They demand ransoms, coupled with the threat of publicizing the stolen data on their dark-web blog, if the demanded sum is not paid promptly. This grim strategy was elaborated in a joint advisory released recently by the FBI in collaboration with the US Cybersecurity and Infrastructure Security Agency (CISA).

This advisory is particularly enlightening. It showcases a compilation of digital fingerprints and signs of breaches linked to the Snatch group, based on exhaustive FBI probes spanning from September 2022 to June 2023. Those concerned about potential breaches should give this section a meticulous read.

Delving into Snatch’s modus operandi, they employ a variety of strategies to infiltrate and sustain access within their victims’ digital ecosystems. A primary method, however, is the exploitation of Remote Desktop Protocol (RDP) deployments targeting Windows systems. They force entry by brute force, seizing administrative privileges to roam freely within an organization’s digital terrain.

Interestingly, there are instances where these cyber-criminals have procured stolen or leaked RDP credentials from hidden online bazaars, utilizing these to gain unauthorized entry.

Reflecting on the gravity of RDP vulnerabilities, it’s noteworthy that both the FBI and CISA had previously, in May, disseminated a collective warning. This alert emphasized restricting RDP usage to mitigate risks, particularly those associated with the BianLian ransomware strain.

Further insights from the latest FBI-CISA bulletin reveal:

Post intrusion, Snatch culprits employ an assortment of tactics to explore the network, pinpointing and pilfering valuable data. This may involve leveraging command-line scripts and sophisticated software tools like Metasploit and Cobalt Strike.

It has been observed that Snatch operatives can linger unnoticed on a compromised network for up to three months before releasing their ransomware payload. Their techniques also encompass efforts to incapacitate antivirus solutions and deploying an executable labeled “safe.exe” during ransomware’s initial phases.

A particularly crafty move involves naming the ransomware executable using a sequence of hexadecimal characters. This naming corresponds to the SHA-256 hash of the file, a tactic designed to evade rule-based detection mechanisms, as the cybersecurity alert highlighted.

Once the ransomware gets activated, it uses inherent Windows functionalities to launch batch files, occasionally attempting to obliterate the systems’ shadow copies. Following data encryption, victims are presented with a text document named “how to restore your files” in every affected directory.

Communication from Snatch to its victims isn’t just limited to digital means. They also engage through emails, the Tox messaging service, and their dark-web outlet. There have been reports of victims getting deceptive calls from a woman purporting to represent Snatch, guiding them to the group’s extortion platform.

In conclusion, federal agencies offer advice to shield against such threats. Central to their recommendations is the vigilant monitoring of remote access tools within organizational networks.