A research team from SophosLabs and Sophos managed Threat Response(SMTR) has come across a new ransomware dubbed Snatch that reboots Windows PCs into safe mode before initiating encryption. According to researchers, this is a never-before-seen behavior and the possible reason why Snatch reboots PCs mid-attack is to evade antivirus apps installed in infected computers.
The authors behind Snatch know very well that most antivirus apps are ineffective in Windows Safe Mode as the mode only allows essential system programs and services to run during boot.
Snatch ransomware uses a Windows registry key to schedule the encryption process which makes it impossible for antivirus to catch it or stop the encryption.
But the most dangerous aspect of the attack is this: Snatch sets itself up as a service that will run even during a Safe Mode reboot, then reboots the box into Safe Mode. This effectively neuters the active protection of many endpoint security tools. Devious! and evil. pic.twitter.com/lqCxhxwg4y
— Brandt-X the X is silent (@threatresearch) December 9, 2019
Snatch ransomware was spotted a year ago by security researchers and the new technique to avoid antivirus apps by rebooting PCs in safe mode is a recently added feature.
The ransomware, in question, has a ransomware component, a data stealer, a Cobalt Strike reverse-shell and many tools (not essentially harmful) that are publicly available and used by administrators and penetration testers.
Andrew Brandt from Sophos research team says, “SophosLabs feels that the severity of the risk posed by ransomware which runs in Safe Mode cannot be overstated, and that we needed to publish this information as a warning to the rest of the security industry, as well as to end users.”
The reason why Snatch ransomware did not gain popularity is that the authors behind the ransomware or Snatch Team never intended to target home users and general users. They carefully targeted private companies and government organizations. This technique is called “big-game hunting” in the cybersecurity realm and groups who adopt this often want to earn a large sum of ransom from big corporates or government organizations instead of earning small ransomware amount.
In its report, Sophos mentions that organizations must use strong passwords and multi-factor authentication for the services and ports that are exposed to the internet.