It seems like crimeware developers never sleep as defenses rise. They're always on the lookout for different ways of honing their weapons of attack. One of the most recent techniques is a ransomware strain that can force a Windows device to reboot into Safe Mode right before encryption begins, intending to get around endpoint protection.
This particular strain is known as Snatch owing to its authors, who refer to themselves as the Snatch Team. It was discovered by Sophos Labs researchers, who outlined their discovery together with insights into how such gangs break into enterprises and other entities on their hit list.
We’re going to explain what Snatch ransomware is, how it works, and how you can remove it from your devices.
Also on Guiding Tech
What Is Snatch Ransomware
Snatch is a fresh ransomware variant whose executable forces Windows devices to reboot to Safe Mode even before the encryption process begins in a bid to bypass endpoint protection that often doesn’t run in this mode.
The new strain of the ransomware uses a unique infection method that applies sophisticated AES encryption so that users whose machines are infected can’t access their files.
Snatch ransomware was first noticeably active in April 2019, but it was released end of 2018. However, the spike in encrypted files and ransom notes led to its discovery and follow up by the team of researchers at Sophos.
Its crypto-virus form attacks high profile targets, but this new strain, created using Google Go program, comprises a collection of tools including a data stealer and ransomware feature. Plus, it has a Cobalt Strike reverse-shell and other tools used by penetration testers and system administrators.
Note: The variant Sophos discovered is only able to run on Windows in 32-bit and 64-bit editions from version 7 through 10.
How Snatch Ransomware Works
As a file locking virus, Snatch ransomware has no connections with other strains. Still, its developers released nine variants of the threat, which append different extensions after data is encrypted with AES cipher.
The trick is to reboot machines into Safe Mode, and then the ransomware restricts access to your data by encrypting your files. After that, the hackers try to extort money from you by soliciting ransoms in the form of Bitcoin in exchange for unlocking your files and giving back data access.
There’s a reason why their trick works. Some antivirus software don’t start in Safe Mode, and the developers discovered they could easily modify a Windows registry key and just boot your machine into Safe Mode. Thus the ransomware runs undetected by your security software.
The first time it’s installed on your device, it comes through SuperBackupMan, a Windows service, and sets up right before your computer starts rebooting so you can’t stop it in time.
Once installed, the attackers use admin access to run BCDEDIT, a Windows command-line tool, to force your computer to reboot in Safe Mode immediately.
It then creates a random named executable in your %AppData% or %LocalAppData% folder, which will be launched and starts scanning your computer’s drive letters for files to encrypt.
Also on Guiding Tech
Files Targeted by Snatch Ransomware
There are specific file extensions it encrypts, including .doc, .docx, .pdf, .xls, and many others, which it infects and changes their extensions to Snatch so you can’t open them again.
The ransomware leaves a Readme_Restore_Files.txt text file note, demanding anything between one and five Bitcoin in exchange for a decryption key, with information on how to communicate with the hackers to get your data files back.
After the ransomware scans your computer completely, it uses vssadmin.exe, a Windows command to delete all Shadow Volume Copies on it so you can’t recover and use them to restore encrypted data files. The final step is to encrypt any data files on your hard drive.
Currently, infected files aren’t decryptable owing to the sophisticated nature of the AES encryption used. However, you still have a lifeline if your computer is infected by restoring your files from the most recent backup.
Snatch ransomware has been targeting regular users via spam emails. But today, the main targets are corporations. By paying such criminals, you not only lose money and have no guarantee that they’ll send the decryption key to you, but it also encourages them to continue with their cyber criminality.
If you don’t have an updated backup, there’s not much else you can do other than wait until security experts come up with a Snatch ransomware decrypter. That could take a long time, but there are other ways you can protect yourself from such attacks.
How to Remove Snatch Ransomware From Your Computer
One of the best ways to remove Snatch ransomware and other malware is to install good antivirus security software such as Malwarebytes or SpyHunter that can scan, detect, and eliminate the threat. Not all antivirus engines can catch it because it’s an entirely new malware, so it’s good to scan using several programs.
You can protect yourself and your devices against ransomware attacks by taking simple steps such as downloading software from trusted sources, and avoid opening email attachments from untrusted sources.
Other ways you can protect yourself and your organization from Snatch and other types of ransomware include:
Maintain an updated operating system and keep backing up your data.
Perform regular password audit.
Deploy multilayered, comprehensive security software to protect all entry points against a ransomware attack.
Securing remote access tools and other vulnerable programs because Snatch attackers hire other criminals with experience using Web shells or able to hack into SQL servers via injection attacks.
Protect your Remote Desktop interface by putting them behind a VPN on your network so people won’t access them without VPN credentials.
Run regular and thorough checks on all devices in your home or organization to ensure they’re protected and monitored as Snatch leverages such access points and footholds to gain entry.
Set up and use multi-factor authentication for any admins in your organization so attackers can’t brute force your credentials.
Perform a full threat-hunt on your network to identify any such activity before infection.
Also on Guiding Tech
Protect Your System
Snatch ransomware may sound almost life-threatening in how it works to paralyze your files and devices. Before you think of paying that ransom, try the steps above to remove the threat and always take preventive measures to ensure this and such threats don't show up on your computer or network.
Next up: If you suspect your phone is infected with ransomware, check our next article to find out how to detect that and remove it.