FDVA Cyber Attack: Snatch Ransomware Group Threatens Florida Department of Veterans Affairs

Snatch ransomware group targeted a government agency for veterans. The hackers posted about a cyber attack on the Florida Department of Veterans Affairs (FDVA) on the Dark Web. The department has not commented on the FDVA cyber attack at the time of writing this report.

However, the message was posted early this month on September 5 and updated on the 19^th indicating that they had a conversation with the FDVA officials regarding a ransom. And it was due to failed or ongoing negotiations that Snatch posted about the FDVA cyber attack.

The Cybersecurity and Infrastructure Security Agency (CISA) released a joint cybersecurity advisory yesterday alerting about Snatch ransomware.

The alert was published in collaboration with the FBI highlighting the growing threat by Snatch. It was a part of the ongoing Stop Ransomware campaign naming the most active groups and employed malware.

FDVA Cyber Attack

Threat Analyst Brett Callow tweeted about the alleged FDVA ransomware attack with the above screenshot. The screenshot of the Snatch ransomware group’s website on the dark web was about them claiming the FDVA cyber attack.

The hackers also published a proof pack of sample data allegedly exfiltrated from the Florida Department of Veterans’ Affairs ransomware attack.

The Florida Department of Veterans Affairs was founded in 1989 to have veterans receive all the government-approved benefits and services they are entitled to under various circumstances. It served military veterans from World War 2 as well.

Details About Snatch Ransomware Group

The joint advisory detailed the new variant of Snatch ransomware identified in June 2023. Snatch poses a significant risk to the United States’ critical infrastructure. This threat extends to the nation’s Defense Industrial Base, food and agriculture, and information and technology sectors.

“After data exfiltration often involving direct communications with victims demanding ransom, Snatch threat actors may threaten victims with double extortion, where the victims’ data will be posted on Snatch’s extortion blog if the ransom goes unpaid,” read the joint advisory posted by CISA.

Snatch was earlier known as Team Truniger, named after a key member of the group. They targeted their first US victim in 2019. The group manages to gain login details of a legitimate user of a firm to access an account without being found suspicious.

They connect over port 443 which was found to be a command-and-control server on a Russian bulletproof hosting service. They established remote desktop protocol (RDP) connections from a Russian bulletproof hosting service.

Ransomware Attacks on the US Government

Brett Callow noted that over 60 US government entities have been targeted by ransomware groups this year. Of which, hackers exfiltrated data from nearly 35 organizations. “In 2022, 106 state or municipal governments or agencies were affected by ransomware,” according to research published in an Emsisoft blog.

Moreover, the number of ransomware attacks on private sector firms was not publicly claimed by cybercriminals. This could be indicative of the ransom being paid thereby buying the silence of hackers behind the data theft.

This is also the reason why researchers could not number the ransomware attacks on private entities. Most of these cybersecurity incidents are not reported to law enforcement, the blog added. While, ransomware attacks on government, education, and health sectors are more widely announced causing concern, and exerting pressure on them for ransom payment.