The Snatch ransomware reboots the computer it infects into safe mode and starts encrypting victim’s files. During Safe Mode, most of the security tools are automatically disabled
The Snatch ransomware reboots the computer it infects into safe mode and starts encrypting victim’s files. During Safe Mode, most of the security tools are automatically disabled.
“Sophos Labs feels that the severity of the risk posed by ransomware which runs in Safe Mode cannot be overstated and that we needed to publish this information as a warning to the rest of the security industry, as well as to end-users,” said the researchers.
Have you ever imagined a malware creeping inside your system and encrypting your files by rebooting your system in Safe Mode?
Snatch ransomware
The bad actor behind the ransomware appeared to have been active since 2018. Snatch can run on most common versions of Windows, from 7 through 10, in 32-and 64-bit versions.
Sophos researchers observed a suspected member of the Snatch ransomware team “looking for affiliate partners with access to RDPVNCTeamViewerWebshellSQL inj [SQL injection] in corporate networks, stress and other companies.”
Snatch team would work with another hacker to breach the desired company or would buy access to the hacked network.
How does the Snatch ransomware work?
“All the organisations where these same files were found also were later discovered to have one or more computers with RDP exposed to the internet,” Sophos says.
- Initially, the Snatch team takes enough time and stays inside a hacked company.
- Slowly they will make access to internal domain controllers (DC) machine using the same admin account and maintained access, collecting and exfiltrating information.they also monitor the victim's network for a few weeks and spread to as many computers on an internal network as possible.
- In order to do this, the Snatch team used legitimate sysadmin tools and penetration testing toolkits to get the job done, tools such as Cobalt strike, Advanced Port Scanner, Process Hacker, IObit Uninstaller, PowetTool and PsExec. As these are the common tools used the antivirus products in the system fail to raise alarm.
- The Snatch ransomware component installs itself as Windows service dubbed SuperBackupMan, so that it cannot be stopped or paused and could running Safe Mode while encrypting files from the system.
- “When the computer comes back after the reboot, this time in Safe Mode, the malware uses the Windows component net.exe to halt the SuperBackupMan service, and then uses the Windows component vssadmin.exe to delete all the Volume Shadow Copies on the system, which prevents forensic recovery of the files encrypted by the ransomware,” reads the analysis.
Coveware, a company specialised in intermediating negotiations between ransomware victims and attackers, have negotiated with the Snatch criminals on 12 occasions between July and October on behalf of their clients. The ransomware payments ranged from $2,000 to $35,000 (in bitcoins).
Precautions needed to be taken to prevent a Snatch attack?
Sophia recommends companies to,
- Never expose RDP service to the Internet or protect them by using a VPN.
- Use multifactor authentication (MFA) for protecting administrator accounts to prevent brute force attacks.
- Vulnerabilities must be scanned regularly and patched as soon as possible.
For the latest cyber threats and the latest hacking news please follow us on Facebook, Linkedin, and Twitter.
You may be interested in reading: ASP.NET Hit by Ransomware