Feds raise alarm over Snatch ransomware as extortion crew brags of Veterans Affairs hit
Invasion of the data snatchers
The Snatch ransomware crew has listed on its dark-web site the Florida Department of Veterans Affairs as one of its latest victims – as the Feds warn organizations to be on the lookout for indicators of compromise linked to the extortionist gang.
To be clear: we can't verify that the miscreants have actually stolen any veterans data as they claim. The Register asked the department and has yet to receive confirmation of an infection. We will update this story if we hear back from the US state.
Snatch is a ransomware-as-a-service operation, and its affiliates have compromised a range of critical infrastructure sectors, including defense industrial base companies, food and agriculture, and IT firms.
Data theft and double-extortion tactics are common among Snatch affiliates, we're told.
"After data exfiltration often involving direct communications with victims demanding ransom, Snatch threat actors may threaten victims with double extortion, where the victims' data will be posted on Snatch's extortion blog if the ransom goes unpaid," according to a joint advisory issued by the FBI and the US Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday.
The alert also includes a list of indicators of compromise obtained through FBI investigations between September 2022 and June 2023, so we suggest paying close attention to that section of the report.
- 'Strictly limit' remote desktop – unless you like catching BianLian ransomware
- International Criminal Court hacked amid Russia investigations
- US-Canada water org confirms 'cybersecurity incident' after ransomware crew threatens leak
- Scattered Spider traps 100+ victims in its web as it moves into ransomware
According to the advisory, Snatch affiliates use several methods to gain access and maintain persistence on victims' networks. But their primary method of breaking and entering involves abusing Remote Desktop Protocol (RDP) deployments to compromise Windows systems, brute forcing their way in, and obtaining admin credentials to snoop around on organizations' networks.
In some cases, these criminals have bought stolen or leaked RDP credentials on underground marketplaces, and used those login details to sneak in, we're told.
It's also worth noting that the FBI and CISA in May issued a similar joint warning about limiting the use of RDP to lessen the risk of a BianLian ransomware infection.
According to the new FBI-CISA warning:
Snatch threat actors gain persistence on a victim's network by compromising an administrator account and establishing connections over port 443 to a command and control (C2) server located on a Russian bulletproof hosting service. Per IP traffic from event logs provided by recent victims, Snatch threat actors initiated RDP connections from a Russian bulletproof hosting service and through other virtual private network (VPN) services.
Once they've established a presence on the network, the miscreants use various tactics to move laterally, and find and steal data, the government agencies said. This includes using command-line scripting and software tools such as Metasploit and Cobalt Strike.
The FBI has observed Snatch affiliates spending as much as three months on victims' networks before deploying ransomware. The criminals also try to disable antivirus software, and run an executable named "safe.exe" during the early stages of ransomware deployment.
"In recent victims, the ransomware executable's name consisted of a string of hexadecimal characters which match the SHA-256 hash of the file in an effort to defeat rule-based detection," the cybersecurity advisory noted.
The ransomware payload itself uses native Windows tools to execute batch files and sometimes tries to remove all of the systems' shadow copies. After encrypting the data, it leaves behind a text file titled "how to restore your files" in each folder.
Snatch affiliates also communicate with victims through email, the Tox messaging platform, and the crew's dark-web leak site. Some victims have also reported receiving a spoofed call from a woman who said she was affiliated with Snatch and directing the compromised organizations to the extortion site.
The Feds also suggest ways to minimize risk based on Snatch's activity and, perhaps unsurprisingly, monitoring your organization's use of remote access tools tops the list. ®