Cybersecurity researchers have spotted a new variant of the Snatch ransomware that first reboots infected Windows computers into Safe Mode and only then encrypts victims’ files to avoid antivirus detection.
Unlike traditional malware, the new Snatch ransomware chooses to run in Safe Mode because in the diagnostic mode Windows operating system starts with a minimal set of drivers and services without loading most of the third-party startup programs, including antivirus software.
Snatch has been active since at least the summer of 2018, but SophosLabs researchers spotted the Safe Mode enhancement to this ransomware strain only in recent cyber attacks against various entities they investigated.
“SophosLabs researchers have been investigating an ongoing series of ransomware attacks in which the ransomware executable forces the Windows machine to reboot into Safe Mode before beginning the encryption process,” the researchers say.
“The ransomware, which calls itself Snatch, sets itself up as a service [called SuperBackupMan with the help of Windows registry] that will run during a Safe Mode boot.”
“When the computer comes back up after the reboot, this time in Safe Mode, the malware uses the Windows component net.exe to halt the SuperBackupMan service, and then uses the Windows component vssadmin.exe to delete all the Volume Shadow Copies on the system, which prevents forensic recovery of the files encrypted by the ransomware.”
What makes Snatch different and dangerous from others is that in addition to ransomware, it’s also a data stealer. Snatch includes a sophisticated data-stealing module, allowing attackers to steal vast amounts of information from the target organisations.
images from Hacker News