The Snatch ransomware team has listed the Florida Department of Veterans Affairs as one of its latest victims on the dark web site. This comes as the federal government warns organizations to be on the lookout for signs of compromise related to extortion gangs.
To be clear, we cannot confirm whether the bad actors actually stole veterans’ data. Claim. register We contacted the police station, but no confirmation of infection has been obtained yet. We will update this story if we hear back from the US state.
Snatch is a ransomware-as-a-service operation whose affiliates have compromised a wide range of critical infrastructure sectors, including defense industrial base companies, food and agriculture, and IT companies.
Just last month, extortionists affiliated with the crew leaked data allegedly stolen from ~ earlier this year modesto We’re in the middle of a ransomware attack on a California city.
I’ve heard that data theft and double extortion tactics are common at Snatch affiliates.
“After a data breach that involves direct communication with a victim demanding a ransom, Snatch threat actors may blackmail the victim with double extortion, and if the ransom is not paid, the victim’s data are posted on Snatch’s extortion blog,” the joint report said. recommendation The FBI and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) made the announcement Wednesday.
This alert also includes a list of indicators of compromise obtained through the FBI investigation from September 2022 to June 2023, so we recommend that you pay close attention to that section of the report. Masu.
According to the advisory, Snatch affiliates use several methods to gain access to victims’ networks and maintain persistence. However, their primary methods of infiltration include exploiting Remote Desktop Protocol (RDP) deployments to infiltrate Windows systems, brute force entry, and obtain administrator credentials to peer into an organization’s network. This includes:
In some cases, these criminals are said to have purchased stolen or leaked RDP credentials on underground markets and used those logins to break in.
It’s also worth noting that the FBI and CISA issued a similar joint warning in May about restricting the use of RDP to reduce the risk of BianLian ransomware infections.
According to the new FBI-CISA warning:
Once criminals have established a presence on a network, they use a variety of tactics to move laterally to find and steal data, the agency said. This includes using command line scripts and software tools such as Metasploit and Cobalt Strike.
The FBI observed that Snatch affiliates spent as much as three months on victim networks before deploying ransomware. Criminals also attempt to disable antivirus software and run an executable file named “safe.exe” during the early stages of ransomware deployment.
“For recent victims, the name of the ransomware executable consisted of a hexadecimal string that matched the file’s SHA-256 hash to disable rule-based detection,” the cybersecurity advisory said. points out.
The ransomware payload itself uses native Windows tools to execute a batch file and, in some cases, attempts to delete all shadow copies of the system. After encrypting your data, a text file titled “How to recover files” remains in each folder.
Snatch affiliates may also communicate with victims through email, the Tox messaging platform, and the crew’s dark web leak site. Some victims have reported receiving spoofed calls from women claiming to be affiliated with Snapchat, who directed the compromised organizations to extortion sites.
The Fed also suggests ways to minimize risk based on Snatch activity, and perhaps unsurprisingly, monitoring an organization’s use of remote access tools tops the list. . ®