Discovered and analyzed by security provider Sophos, Snatch attempts to bypass traditional security software by rebooting your PC into Safe Mode.

Windows Safe Mode tries to help you troubleshoot various maladies by rebooting your PC in a vanilla way without loading certain software, drivers, or services. That process also prevents anti-virus software from loading. And that leads to a tactic being employed by a particularly dangerous strain of ransomware.

Known as Snatch, the ransomware as described by Sophos in a news post on Monday, forces a Windows PC to reboot into Safe Mode, thereby preventing any anti-virus or security software from running. Snatch, which itself runs as a service during Safe Mode, encrypts the victim’s hard drive, and tries to force the user to pay the necessary ransom to be able to access the drive again.

Sophos actually ran into Snatch last year and said it believes the ransomware has been active since the summer of 2018. In mid-October 2019, the security vendor had to help a targeted organization investigate and resolve a ransomware outbreak. Seeing Snatch at work, Sophos believes that the Safe Mode component is a newly added tactic.

What is Snatch?

The Snatch malware comprises a collection of tools. The ransomware feature and a separate data stealer were likely created by the cybercriminals to control the malware, according to Sophos. Also in the mix are a Cobalt Strike reverse-shell, and several publicly available tools that aren’t malicious by themselves but are used by system administrators and penetration testers.

Created using Google’s Go program, the Snatch variant seen by Sophos is able to run only on Windows, including all versions from 7 through 10 and in both 32-bit and 64-bit editions. The Snatch samples analyzed were packed with the open source packer UPX to hide their contents.

The criminals behind Snatch, who call themselves the Snatch Team, use an active automated attack model in which they try to get past enterprise networks through automated brute-force attacks against vulnerable accounts and services. Once inside, the Snatch team members then attempt to spread their attack internally within an organization’s network. A type of malware used in the Snatch attacks has also been stealing a large amount of data from the targeted organizations.

In one incident against a large company, Sophos found that the attackers brute-forced the password to an administrator’s account on a Microsoft Azure server and were then able to log in to the server using Remote Desktop Protocol (RDP). The attackers used that same account to log into a domain controller on the same network, which allowed them to run surveillance on the network over several weeks. In this incident, the criminals managed to install surveillance software on around 200 machines, about 5% of the computers on this organization’s network.

How it works

At some point during an attack, the ransomware piece is downloaded to a targeted computer. The ransomware installs itself as a Windows service called SuperBackupMan, which is set immediately before the PC starts to reboot, giving an organization little or no chance to stop the service in time.

The attackers then use administrator access to run the Windows command-line tool BCDEDIT to force an immediate reboot of the computer in Safe Mode. After the PC reboots, the malware uses a Windows command called vssadmin.exe to delete all the Volume Shadow Copies on the system, thereby preventing a recovery of the files encrypted by the ransomware. Finally, the ransomware encrypts documents on the hard drive.

Sophos said that its endpoint security protection was able to detect the ransomware payload for their customers, thus preventing it from infecting machines outfitted with the product. But another company called Coveware, which handles extortion negotiations between ransomware victims and attackers, told Sophos that it had negotiated with Snatch criminals 12 times this year between July and October. The ransom demands in Bitcoin ranged from $2,000 to $35,000, but rose upward over those four months.

Protection tips

To protect your organization against this type of ransomware, Sophos offers several pieces of advice:

  • Don’t expose your Remote Desktop interface to unprotected internet access. Sophos recommends that organizations refrain from exposing the Remote Desktop interface to the unprotected internet. Organizations that need to permit remote access to machines should put them behind a VPN on their network, so they can’t be accessed by anyone without VPN credentials.
  • Secure your other remote access tools. In a post on a criminal message board, the Snatch attackers wanted to hire or contract with other criminals able to break into networks using such remote access tools as VNC and TeamViewer. They also were looking for people with experience using Web shells or hacking into SQL servers using SQL injection attacks. Any internet-facing remote access tools and other vulnerable programs pose risks if they’re left unattended.
  • Use multi-factor authenticator for administrators. Organizations should set up multi-factor authentication for users with administrative privileges to make it harder for attackers to brute force those account credentials.
  • Inventory your devices. Most of the initial access points and footholds that Sophos found in connection with Snatch were on unprotected and unmonitored devices. Organizations need to run regular, thorough inventory checks of all devices to make sure no gaps exist.
  • Search your network for threats. The Snatch ransomware went into action after the attackers had several days of undetected, uninhibited access to the network. A full threat-hunting program could potentially identify this type of activity before the ransomware has the ability to take hold.