Sophos experts warnedthat the authors of the Snatch ransomware restart their victim computers in Safe Mode in order to bypass the security mechanisms and start the file encryption process. The fact is that most anti-virus solutions do not work in Windows safe mode, that is, nothing prevents the malware from acting.
Researchers write that the ransomware uses the Windows registry key to schedule launch in Safe Mode. Experts express concern that other hacker groups could soon adopt a similar trick from Snatch, using it for their ransomware.
But the most dangerous aspect of the attack is this: Snatch sets itself up as a service that will run even during a Safe Mode reboot, then reboots the box into Safe Mode. This effectively neuters the active protection of many endpoint security tools. Devious! and evil. pic.twitter.com/lqCxhxwg4y
– Andrew Brandt (@threatresearch) December 9, 2019
Snatch has been active since at least the summer of 2018, although few have heard of it. The fact is that the ransomware does not attack ordinary users, and mass distribution of spam or sets of exploits are not used for its distribution. Instead, Snatch operators carefully select the goals that most often become large companies, community or government organizations.
Thus, attackers do not rely on many small ransoms from ordinary people, but immediately demand huge amounts from companies and organizations. Other ransomware, such as Ryuk, SamSam, Matrix, BitPaymer, and LockerGoga, work in a similar pattern. The only publicly known case of Snatch attacks today is the infection of ASP.NET provider, the company SmarterASP.NET, serving more than 440,000 customers.
According to experts, Snatch operators often buy access to corporate networks from other criminals. So, earlier, researchers discovered advertisements that cybercriminals placed on hacker forums. In these advertisements, the ransomware authors looked for partners who could provide access to corporate networks, stores, and so on through RDP, VNC, TeamViewer, WebShell, and SQL injections.
Having penetrated into a foreign network, Snatch operators do not attack immediately. First, for several days or weeks, the attackers observe, study the target, gain access to the domain controller, from where the malware can be distributed to as many computers as possible. For this, such well-known pentester tools as Cobalt Strike, Advanced Port Scanner, Process Hacker, IObit Uninstaller, PowerTool and PsExec are used. As a rule, these legitimate decisions do not cause suspicions in defense mechanisms and antiviruses.
Also, according to Sophos, Snatch operators not only encrypt data, but also steal various information from their victims. That is, companies risk losing their data even if they paid a ransom.