Snatch was discovered and analyzed by security provider Sophos and attempts to bypass traditional security software by restarting your PC in safe mode.
Windows Safe Mode tries to help you resolve various diseases by starting your PC on vanilla without loading certain software, drivers or services. That process also prevents anti-virus software from loading. And that leads to a tactic used by a particularly dangerous type of ransomware.
Known as Snatch, the ransomware as described by Sophos in a Monday news report, forces a Windows PC to restart in safe mode, preventing anti-virus or security software from running. Snatch, which itself runs as a service in safe mode, encrypts the victim’s hard drive and tries to force the user to pay the necessary ransom to regain access to the drive.
SEE: Ransomware: what IT professionals need to know (free PDF) (TechRepublic)
Sophos ran into Snatch last year and said it believes the ransomware has been running since the summer of 2018. In mid-October 2019, the security vendor had to help a targeted organization investigate and resolve an outbreak of ransomware. Sophos sees Snatch at work and believes that the Safe Mode component is a newly added tactic.
What is Snatch?
The Snatch malware consists of a collection of tools. The ransomware function and a separate data staler were probably created by the cyber criminals to control the malware, according to Sophos. Also in the mix are a Cobalt Strike reverse shell, and various publicly available tools that are not in themselves harmful, but are used by system administrators and penetration testers.
The Snatch variant of Sophos is made with the Go program from Google and can only be run on Windows, including all versions from 7 to 10 and in both 32-bit and 64-bit versions. The analyzed Snatch samples were packaged with the open source packer UPX to hide their content.
The criminals behind Snatch, who call themselves the Snatch team, use an active automated attack model in which they try to get past corporate networks through automated brute-force attacks on vulnerable accounts and services. Once inside, the Snatch team members try to spread their attack internally within the network of an organization. A type of malware used in the Snatch attacks has also stolen a large amount of data from the targeted organizations.
In an incident against a large company, Sophos discovered that the attackers had to forcefully force the password into an administrator account on a Microsoft Azure server and then log on to the server with Remote Desktop Protocol (RDP). The attackers used the same account to log in to a domain controller on the same network, allowing them to monitor the network for several weeks. In this incident, the criminals succeeded in installing surveillance software on around 200 machines, about 5% of the computers on this organization’s network.
How it works
At some point during an attack, the piece of ransomware is downloaded to a targeted computer. The ransomware installs itself as a Windows service called SuperBackupMan, which is set up immediately before the PC is restarted, leaving an organization little or no chance to stop the service on time.
The attackers then use administrative access to run the Windows BCDEDIT command-line tool to immediately restart the computer in safe mode. After the PC is restarted, the malware uses a Windows command named vssadmin.exe to remove all Volume Shadow Copies on the system, preventing recovery of the files encrypted by the ransomware. Finally, the ransomware encrypts documents on the hard disk.
Sophos said the endpoint protection could detect the ransomware payload for their customers, preventing it from infecting machines with the product. But another company called Coveware, which handles extortion negotiations between ransomware victims and attackers, told Sophos that it had negotiated twelve times with Snatch criminals between July and October this year. The ransom requirements in Bitcoin ranged from $ 2,000 to $ 35,000, but went up in those four months.
Protection tips
To protect your organization against this type of ransomware, Sophos offers various advice:
- Do not expose your Remote Desktop interface to unprotected internet access. Sophos recommends that organizations do not expose the Remote Desktop interface to unprotected internet. Organizations that must allow remote access to machines must place them on their network behind a VPN so that nobody can access them without a VPN.
- Secure your other external access tools. In a message on a criminal bulletin board, the Snatch attackers wanted to hire other criminals or come into contact with networks that use external access tools such as VNC and TeamViewer. They were also looking for people with experience with webshells or hacking SQL servers using SQL injection attacks. All internet-based external access tools and other vulnerable programs pose risks if they are left unattended.
- Use multi-factor authenticator for administrators. Organizations must set up multi-factor authentication for users with administrative privileges to make it harder for attackers to brutally enforce those account credentials.
- Make an inventory of your devices. Most of the initial access points and support points that Sophos found in connection with Snatch were on unprotected and unguarded devices. Organizations must perform regular, thorough inventory checks of all devices to make sure there are no gaps.
- Search for threats in your network. The Snatch ransomware came into action after the attackers had undetected, unrestrained access to the network for a few days. A full threat detection program may identify this type of activity before the ransomware has the ability to hold.
Cyber ​​Security Insider Newsletter
Strengthen the IT security of your organization by staying up to date with the latest news, solutions and best practices for cyber security.
Delivered on Tuesday and Thursday
Register today
Also see
Computer code on a screen with a skull that represents a computer virus / malware attack.
solarseven, Getty Images / iStockphoto